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Abstract 
This thesis investigates a particular approach, called state-transition specification, 
to the problem of describing the behavior of modules in a distributed or concurrent 
computer system. A state-transition specification consists of: (1) a state machine, 
which incorporates the safety or invariance properties of the module, and (2) validity 
conditions on the computations of the machine, which capture the desired liveness or 
eventuality properties. The theory and techniques of state-transition specification are 
developed from first principles to a point at which it is possible to write example 
~ specifications, to check the specifications for consistency, and to perform correctness 
nroofs using the snerificatinns The utility of the techniques is demonstrated through 
examples. | , 
Major contributions.of the thesis include: (1) the definition of a semantic model 
that incorporates hierarchy of abstraction and modular decomposition as fundamental 
notions; (2) specification and proof techniques that smoothly handie both safety and 
liveness properties; (3) techniques that use liveness properties stated in 
rely-/guarantee-condition form to. obtain simple proofs of correctness; (4) an interesting 
and useful notion of consistency for specifications involving liveness properties. 


Keywords: . State-transition specification, verification, concurrency, hierarchy, modularity, 


temporal logic, safety, liveness, rely/quarantee conditions 
Thesis Supervisor: Nancy A. Lynch 


Title: Associate Professor of Computer Science and Engineering 


i 
A 


Acknowledgements . 


| am deeply indebted to my thesis adviser, Nancy Lynch, but for whom this thesis 
would likely never have been completed. Nancy read many, many difficult drafts of this 
work with enthusiasm and promptness that went far beyond the mere call of duty. She 
always seemed to manage not only to identify the most troublesome portions of each 
draft, but to make insightful suggestions for improvement as well. | am also grateful to 
John Guttag, Barbara Liskov, and Albert Meyer for their suggestions on improving the 
presentation. Discussions with Bill Weihl helped to formulate ideas during the early 
stages. 


in an entirely different category are my parents, Joan S. Stark and William L. Stark, 
Jr., who made it seem natural that | should seek and complete graduate education, and 
whose love and support during this endeavor | cannot adequately acknowledge. Julian 
Stanley of Johns Hopkins made it possible for me to pursue the undergraduate portion 
of my education at an accelerated rate. 


Finally, | would like to thank the chessplayers at Au Bon Pain in Harvard Square for 
providing a much-needed diversion during the past year. 


CONTENTS 
1. INtrOGUCTION ..........ceesceeeeeeeeeee eens seats oi etuunwae AO 
1.F Scope Of the THESIS scscccscccdesesssiscassancccessaceidancandecdsstsncdecsesssts 7 
V2 AT BDO iscsi idsssccadévnncediesnacseutavuansteastecscacsevesvercsnndecdstsases 8 
1.3 Outline of the Thesis ...............cccccccssssscescssssssssnecsssesssensenses 15 
1.4 Related Work ........ccscssesseeee jadGievddacsdeaacvacledeassseteueeCavesedsaseece 17 


2. Framework for a Theory of Specification ..... 38 


2.1 Interfaces, Observations, and Behavi0I ........cscessessseeee 38 
2.2 Abstraction, Decomposition, and Interconnection .......... 41 
2.3 Specification, Implementation, and Correctness ............. 43 


3. State-Transition Specifications ................... 45 


3.1 Subset Specifications ........cecsssssssesssssssonssseses wazeasieabvassees 46 
3.2 Machines and Computations ........... dscusimededeastusssesnnaeonanetss 48 
3.3 Properties Of HIStOFIS ..........ssscscssssrscccessessssrssesconcssesenccenes 50 
3.4 State-Transition Specifications ...........cccessssscnsceeseesesseenes 52 
3.5 The Correctness THEOreM .....sccssssssssscerscerssssscssesesesssesceces 54 
3.6 Possibilities MAPPINGS ..........cccsssssccscorseenseesscseeneresessvseensces 58 
3.7 Rely-/Guarantee-Conditions ....sssscssscssccssssecessessesseceeseeee 60 


4. The Synchronizer Implementation ............... 66 


GT INQUGTON gsc cisvisesassicwadstinsinparicevenscccccuscpaceatcedacberasspiasccaniadonnne 66 
4.2 Specification of the Synchronizer MOduIe ...........cccseseeees 67 
4.3 Specification of the Synchronizer Component Module ... 69 
4.4 Correctness of the Synchronizer Implementation ............ 73 


5. Consistency of Specifications ...................0+ 82 
5.1 1/O-SyStOMS ......cccceccsssssssreeeeeeeeee 5 sduwecdhaadhavaparstesavasuavengeaaee 83 
5.2 1/O0-Behaviors and 1/O-Consistency .........scssssessecsesereenses 87 
5.3 Machine Characterization of {/O-Behaviors ........ccscceseee 88 
5.4 Examples of 1/O-Behavi0rs ..........ssssssssssecseasssssssecsceserseevees 97 
5.5 Composition of 1/O-Behaviols ........cssssscccsessssssssssseesscoees 107 
5.6 Alternative Classes of Computable Behaviors ..........00000 110 
6. A Completeness Result ..................4: suesecwas 112 
6.1 Specification DOMAINS ..........ccccccsssssssssssrstsccetssesesssnransees 112 
6.2 Locally 3-Consistent Subset Specifications .............0008 116 
6.3 Well-Formedness Properties of Specifications. .............. 117 
6.4 The Completeness Theorem ........scssssssssssscscesssscscsserereeens 120 
7. CONCIUSION ........cceeeeeseeseeeeeees Meta teeta aici 123 
7.1 SUMMALY vocecessresstscnees § feaetet cu anainteeiteteken 123 
7.2 Ideas for Future Work ......... ce cssscsessnerseeetssnesscnsssasarenecsens 124 


Appendix !. Formal Specification and Proof ... 136 


1.3 Event/State AIQebras ......ccccccsssssccsssssnescessssscessensensessesse 137 
1.4 Description of Event/State Algebras ..............ccsssssnseees 140 
1.5 Implementation Algebras ..........:sssssssesseceesesecesscssessesneeteves 144 
LG PLool TECHNIQUES - is sccecnsscéscrssaielecsedescerescniatssaddcensndsncaunsevens 146 
1.7 Rely-/Guarantee-Condition Proof Techniques ............... 149 
1.8 1/O-Consistency Proof TECHNIque ........ccccsesecescsssrseestenes 150 
Appendix Il. Additional Examples .................. 152 
11.9 A Distributed Resource Management Algorithm ............ 163 
11.10 A Message Transmission System ..........cccccssesessserevees 180 


Appendix Ill. Index of Definitions ......... aiviiees COL 


1. Introduction 


The purpose of this thesis is to investigate a particular approach, called 
_ $tate-transition specification, to the problem of describing the behavior of modules in a 
concurrent or distributed computer system. In the state-transition approach, the 
desired behavior is described in terms of a kind of state machine whose computations 
generate records of event occurrences, called observations. A _ state-transition 
specification consists of two parts: (1) the definition of the state machine, which 
incorporates the “safety” or invariance properties of the module, and (2) the definition 
of some validity conditions on the computations of the machine, whose purpose is to 
capture the desired module "liveness" or eventuality properties. A state-transition 
specification defines a set of “acceptable” observations, namely the observations 
produced by valid computations of the state machine. A module behavior satisfies such 
a specification if the module behavior contains only acceptable observations. 


The idea of describing module behavior with the help of state machines is not new, 
having already been proposed in various forms by other authors, [e.g. Parnas72, 
Yonezawa77, Lamport83]. However, previous work seems to be concerned primarily 
with how to write module specifications, and how to use proof rules to prove the 
correctness of implementations. The important issues of what constitutes the meaning 
of a specification, and what it means for an implementation to be correct, have not 
received satisfactory treatment. As a result, it is impossible to answer important 
questions such as: "What rules are sound for proving the correctness of an 
implementation," and "When is a specification consistent?" 


This thesis improves upon previous work by systematically developing the theory 
and techniques of specification from "first principles" to a point at which it is possible to 
write example specifications, to prove implementations correct, and to check 
specifications for consistency. The theory incorporates an underlying semantic model 
within which one can formulate language-independent definitions of the notions of 
“implementation” and "correctness." The meaning of state-transition specifications is 
defined in terms of the model, and all proof techniques are shown to be sound with 
respect to the model. 


The major contributions of this thesis are: 
(1) The definition of a semantic model that incorporates hierarchy of 
abstraction and modular decomposition as fundamental notions. 
(2) Specification and proof techniques that smoothly handle both safety and 
liveness properties. 
(3) Techniques that use liveness properties stated in rely-/guarantee-condition 
form to obtain simple proofs of correctness. 
(4) An interesting and useful notion of consistency for specifications involving 
liveness properties. 
(5) ‘Illustration of the utility of the ideas developed through specifications, 
implementations, and correctness proofs for three examples: 
(a) a synchronizer module, which is implemented by a ring-structured 
network of synchronizer component modules, 
(b) a resource management module, which is implemented by a 
tree-structured network of local resource manager modules, 
(c) a message transmission module, which is implemented by unreliable 
transmission line modules, a send protocol module, and a receive protocol module, 
which together obey the alternating bit protocol. 


1.1 Scope of the Thesis 


A specification is a piece of text whose purpose is to describe the desired 
operation of a module in a computer system. Specifications form an integral part of a 
“top-down" design method in which design proceeds by the successive decomposition 
of a module to be implemented into a collection of interacting component modules 
[Liskov79, Wirth71]. The purpose of specifications in such an approach is to serve as a 
contract between the user and the implementer of a module. This helps to limit 
complexity by permitting a system to be decomposed into modules of reasonable size, 
such that each module depends only upon the specifications, and not the 
implementations, of the modules with which it interacts. 


To permit the possibility of rigorous reasoning about specifications, a specification 
language should be given a formal semantics in terms of an underlying mathematical 
semantic domain. \n this thesis, we use the term behavior to refer to the elements of a 
semantic domain, since the purpose of these elements is to serve as a mathematical 


model of the behavior of a portion of a real-world computer system. The semantics of a 
specification language describe how each specification denotes a set of behaviors that 
satisfy the specification. If the semantics of a programming language are defined so 
- that each important program fragment denotes a behavior, then it is possible to derive 
syntactic rules for proving that (the denotations of) program fragments satisfy (the 
denotations of) specifications. The purpose of this thesis is not to propose particular 
formal specification or programming languages, but rather to investigate a collection of 
language-independent semantic concepts upon which particular specification and 
programming languages might be based. We therefore assume that specification and 
programming languages can have their meanings defined in terms of behaviors, and do 
not concern ourselves with the precise method by which this is accomplished. 


In this thesis, we are concerned with concurrent or distributed systems. By this we 
mean systems that are most naturally viewed as a collection of independent, 
communicating modules, such that effects of concurrent operation of the various 
modules form a significant part of the description of system behavior. This thesis is 
primarily concerned with the concurrency asnect of distributed computing; while the 
model and techniques do not rule out the possibility of treating other aspects such as 
node crashes and network failures, no special structure to deal with these probiems is 
included. The techniques of this thesis have been developed primarily with the idea that 
they would be applied to the problem of describing and reasoning about distributed 
algorithms. The examples presented are of this kind. 


1.2 An Example 


In this section, an example specification problem will be used to introduce 
informally the fundamental ideas about specification on which this thesis is based. 


1.2.1 The Synchronizer Module 


Consider the following scenario: A number of processes in a computer system 
require the use of a single resource to accomplish their respective tasks; however, 
because of limitations inherent in the resource, at most one process can be allowed to 
access the resource at any instant of time. To enforce this restriction, a synchronizer 
module is introduced, and the processes, which we will refer to as the user processes, 
are required to obtain permission from the synchronizer module before accessing the 
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resource. It is the job of the synchronizer module to produce correct synchronization of 
the user processes’ accesses to the resource. Our problem is to describe precisely the 
‘synchronizer module behaviors that are “acceptable” in the sense that they always 
’ produce “correct synchronization.” This precise description is the specification of the 
synchronizer module. 


When a user process desires to access the resource, it issues a try request to the 
synchronizer module. The user process is then supposed to wait until it receives a run 
response from the synchronizer module... When the user process is finished using the 
resource, it issues a rest response to the synchronizer module. We can capture these 
decisions in diagrammatic form as shown in Figure 1, in which the synchonizer module 
is depicted as a circle, and the possible requests and response are drawn as arcs 
incident on and exiting from the circle, respectively. We assume that there are a total of 
N user processes accessing the synchronizer module, and have used a subscripted 
process number to distinguish the requests and responses corresponding to different 
processes. 


Fig. 1. The Synchronizer Module 


Synchronizer 


Module 
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The set of all possible requests and responses for the synchronizer module can be 
thought of as an "alphabet" or “syntax" for describing the interaction of the 
synchronizer module with its environment. We call this set the interface of the 
- synchronizer module, and refer to its elements as events. By observing the 
synchronizer module during an execution, we can obtain a record of the events that 
occurred during the execution. We call this record of event occurrences an 
observation, and assume that it takes the form of a finite or infinite sequence of events. 


By fixing the interface of the synchronizer module to be a particular set of events, 
we determine a universe of possible observations. We next consider how to describe 
which observations in this universe are "acceptable." We must include in our 
description the idea that at most one user process at a time may access the resource. 
Also, we wish to require that the synchronizer module be fair in the sense that every try 
request by a user process is eventually answered by a run response, if it is possible to 
do so without violating the mutual exclusion property. 


A natural way of describing which observations are acceptable is through the use 
of conceptual states. With this technique, we imagine that at any instant of time the 
synchronizer is in one of a number of possible internal states. These states may or may 
not have anything to do with the actual internal state of the synchronizer module; they 
are merely a tool for describing its observable behavior. After defining the set of initial 
states, we then describe for each event the preconditions required for that event to 
occur, and how the conceptual state of the synchronizer changes as a result of the 
occurrence of that event. 


The conceptual state of the synchronizer module at any instant of time is a vector 
that tells for each user process what the synchronizer module thinks that user is 
currently doing with respect to the resource, based on the requests and responses that 
have occurred so far. The possibilities are that the user is either trying to obtain 
permission to access the resource (trying), is actively using the resource (running), is 
done using the resource (resting), or has failed to correctly follow the protocol (error). 


1. The formal definition of observation used in this thesis is slightly more complicated 
than a finite or infinite sequences of events (see Chapter 2). This is done for technical 
reasons that are unimportant for the present, informal discussion. 
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Initially, the synchronizer module believes that each user process is resting. The state 
changes and preconditions are as follows: a try event for a process causes the state of 
that process to change to "trying" if it was previously resting, and to "error" otherwise; 
arun event for a process can occur only if that process is trying and no processes are 
currently running, and causes the state for that process to change to “running;" a rest 
event for a process causes the state of that process to change to "resting" if it was 
previously running, otherwise to "error." 


A particular observation for the synchronizer module satisfies the description of 

the previous paragraph if to each finite prefix of the observation we can assign a 
conceptual state in such a way that each state change satisfies the conditions 
enumerated in the previous paragraph. For example, assuming there are only two user 
processes, the observation 

try, try, run, rest, run, rest, 
satisfies the conditions above since we can assign internal states as follows: 

<resting, resting> try, <trying, resting> try, <trying, trying> run, <running, trying> 

rest, <resting, trying> run, <resting, running) rest, 
<resting, resting>. 

However, the observation 

try, try, run, run, rest, rest, 
does not represent a correct functioning of the synchronizer module since 

<resting, resting> try, <trying, resting> try, <trying, trying> run, <running, trying> 

run, <running, running> rest, <resting, running> rest, 
<resting, resting>, 

which is the only assignment of states that satisfies the state change requirements, has 
the property that the precondition for the run, event is not satisfied by the state 
<running, trying>. We will use the term “history” to refer to an observation that has 
been annotated with states. 


The state-transition description above tells us a significant amount about what are 
the correct observations of the synchronizer module, but it does not say everything that 
should be said. In particular, the requirement that every request by a user process 
should eventually be satisfied, if possible, is not captured by the state-transition 
description. Informally, the reason is that a state-transition description captures only 
properties of histories that are "local" in the sense that they involve only adjacent 
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states, whereas the fairness property we would like is a “global” property that involves 
possibly widely separated portions of the history. If the conceptual state technique is to 
work, we must find some way to state global properties in a form compatible with the 
statement of the local properties. In Chapter 4 it will be shown how global properties 
can be expressed in the language of temporal logic. 


A specification of the synchronizer module via the conceptual state approach 
therefore consists of a state-transition description of the local properties that must be 
satisfied by acceptable observations, plus a description of additional global properties 
satisfied by such observations. A particular synchronizer module behavior is said to 
Satisfy the synchronizer module specification if it contains only acceptable 
observations. 


1.2.2 Implementation, Abstraction, and Composition 


Now let us consider how the synchronizer module might be implemented. A 
possible organization is shown in Figure 2. In Figure 2, the synchronizer module is 
shown to be composed of a number of "synchronizer component" modules connected 
in a ring-like fashion. Each synchronizer component module interacts with exactly one 
user process and with its neighboring synchronizer component modules. The 
implementation operates as follows: There is a single ‘conceptual token that circulates 
around the ring in the clockwise direction. A synchronizer component module must 
possess the token whenever it grants its associated user permission to access the 
resource. In addition to the try, run, and rest events with which communication with the 
user is accomplished, a synchronizer component module may pass the token to its 
clockwise neighbor with a token_out event, may receive the token from its 
counterclockwise neighbor with a token_in event, may request the token from its 
counterclockwise neighbor with a request_out event, and may accept a request from its 
clockwise neighbor with a request_in event. 


We resolve the implementation relationship between the synchronizer component 
modules and the synchronizer module into two separate operations on systems: a 
composition operation, which takes a number of component modules and combines 
them into a larger system, and an abstraction operation, which takes the larger system 
and throws away internal details that are not of interest in the more abstract view. In the 
synchronizer example the composition operation takes a collection of synchronizer 


me Ke 


Fig. 2. Implementation of the Synchronizer Module 


Synchronizer | 
Module 


component modules and connects them into a ring network, and the abstraction 
operation throws away the details of the internal communication between the 
component modules, saving only the events that make up the interface with the user 
processes. 
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1.2.3 Correctness of an Implementation 


Suppose we are given a specification for the synchronizer module, and 
_ specifications for each of the synchronizer component modules. Each specification 
determines a set of behaviors that satisfy it. The implementation is "correct" with 
respect to these specifications if, no matter what behaviors we “plug in" for the 
synchronizer component modules, as long as each component behavior satisfies its 
specification, then the resulting synchronizer module behavior, constructed from the 
components via the operations of composition and abstraction, satisfies the 
synchronizer module specification. 


1.2.4 Summary 


The ideas presented in this section can be summarized as follows: 

(1) Every module in a system has a well defined interface, which is the syntax 
with which it interacts with other modules in the system. 

(2) An interface defines a universe of observations, which are records of 
operation that might be produced by a module with that interface. These observations 
constitute the possible "functionings" of the module. The set of all observations that 
can be produced by a particular module instance serves as the behavior of that module 
instance. 

(3) A module can be specified by describing a set of "acceptable" 
observations. A module behavior “satisfies” such a specification if it contains only 
acceptable observations. 

(4) An implementation of an abstract module in terms of a collection of 
component modules consists of a composition operation for combining Component 
module behaviors to form a "composite" behavior, and an abstraction operation for 
deleting information from the composite behavior to obtain a behavior of the abstract 
module. 

(5) An implementation is correct with respect to given specifications if, 
whenever we apply the composition operation of the implementation to a collection of 
behaviors that satisfy the component module specifications, and then apply the 
abstraction operation of the implementation to the resulting composite behavior, we 
obtain a behavior that satisfies the abstract module specification. 
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1.3 Outline of the Thesis 


This thesis is an attempt to elaborate and make more precise the ideas illustrated 
_ informally in the previous section. In particular, an attempt will be made to answer the 
questions: 

(1) What is an appropriate mathematical framework that adequately captures 
the notions of interface, observation, composition, abstraction, implementation, 
specification, and correctness discussed above? (Chapter 2) 

(2) How can we translate, in a natural and systematic way, an intuitive 
understanding of the function to be performed by a module into a precise specification? 
(State-Transition Specifications, Chapter 3) 

(3) Once we have obtained such a specification, how can we be sure that it 
says something meaningful? (Consistency of specifications, Chapter 5) 

(4) How can we show, in a systematic way, that a particular implementation of 
an abstract module by a collection of component modules is correct with respect to 
given specifications? (Correctness Proofs, Chapters 3, 4, Appendix I!) 


and proofs of correctness? (Rely/Guarantee-Conditions, Chapters 3, 4, Appendix Il) 
(6) How might the specification and proof techniques developed in this thesis 
be formalized to permit the use of mechanical aids? (Event/State Algebras, Appendix 1). 


This thesis is organized as follows: Chapter 2 introduces formal definitions of the 
notions of interface, observation, abstraction, composition, implementation, and 
correctness. Some of the modeling choices embodied in these definitions are 
discussed. 


In Chapter 3, the basic definitions of Chapter 2 are used to define formally the 
notion of a state-transition specification. The main result of Chapter 3 is the 
Correctness Theorem (Theorem 3.9), which shows how the structure of state-transition 
specifications can be exploited to obtain a systematic method for performing 
correctness proofs. Secondary results of Chapter 3 (Lemma 3.11, Lemma 3.12) suggest 
how the proof method embodied in the Correctness Theorem can be further 
systematized if module liveness specifications are expressed in terms of 
rely-/guarantee-conditions. 
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Chapter 4 applies the theory of Chapters 2 and 3 to the synchronizer example. 
The complete specifications of the synchronizer and synchronizer component modules 
are presented, and the synchronizer implementation is proved correct with respect to 
these specifications. The language of temporal logic is used as a notation for 


expressing liveness properties. 


Chapter 5 is concerned with finding an appropriate notion of consistency of 
specifications that include nontrivial liveness properties. Intuitively, a specification 
ought to be consistent if and only if it is satisfiable by some behavior. However, if by the 
term "behavior" we mean "arbitrary set of observations," then we obtain a notion of 
consistency that is much too liberal. To obtain stronger notions of consistency, we must 
restrict our attention to "realizable" or “computable” behaviors. Chapter 5 introduces a 
particular class of computable behaviors, the "I/O-behaviors," that is based on an 
underlying model of asynchronous concurrent computation called "!|/O-systems." The 
corresponding notion of "I/O-consistency” is found to be useful for distinguishing 
between "obviously realizable" and "obviously unrealizable" liveness specifications. 
Chapter 5 develnns a techninue for proving state-transition snecifications to be 
1/O-consistent and applies this technique to examples. 


In Chapter 6 a kind of completeness result is proved (the Completeness Theorem, 
Theorem 6.4), which gives sufficient conditions under which a correct implementation 
has a proof by the Correctness Theorem. The statement and proof of Theorem 6.4 uses 
in a crucial way the existence of a "specification domain," which is a class of behaviors, 
like the !/O-behaviors, with certain closure properties. 


Finally, Chapter 7 summarizes what has been accomplished and suggests avenues 
for future investigation. 


Additional important material is contained in Appendices |, Il, and Ill. Appendix | 
provides a formal semantics for the temporal logic language used informally in Chapters 
4-6, and shows the correctness and consistency proof techniques developed in the 
thesis can be formalized within this language. Appendix Ii considers two additional 
examples: a distributed resource management system, and a reliable message 
transmission system based on the alternating bit protocol. Both of these systems are 
specified and proved correct using the techniques developed in the main body of the 
thesis. Appendix Ill is an index of definitions. 
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1.4 Related Work 


The rather large body of work related to this thesis can be divided roughly into the 
_ following categories: 

(1) Specification of sequential programs/abstract data types. 

(2) Models of distributed/concurrent computation. 

(3) Temporal logic specification techniques. 

(4) Specification of communication protocols. 

(5) Other distributed/concurrent system specification techniques. 
Each of these categories will be discussed below. Further discussion is included at 
appropriate points in this thesis. 


1.4.1 Specification of Sequential Programs/Abstract Data Types 


Work in the area of specification of sequential programs can be classified into two 
categories: that concerned with the specification of the function to be performed by a 
program or program fragment, and that concerned with the specification of the data 
types manipulated by a program. 


Sequential Program Function Specification 


Specification of the function to be performed by a program or program fragment is 
a problem that must be addressed by any work on program correctness. In the 
sequential case, the semantics of a programming language assigns to each program 
fragment (statement, procedure, etc.) some mathematical object (denotation) 
representing the effect of executing that fragment. Typically, (see, e.g. [Jones81]) this 
denotation takes the form of a partial function or a binary relation on program states. A 
specification for a program fragment consists of some properties that must be satisfied 
by the denotation of that fragment. 


Often function specifications are expressed in the form of Floyd/Hoare partial 
correctness assertions (PCA’s) [Floyd67, Hoare69], consisting of a precondition and a 
postcondition, which are predicates on states. A program fragment satisfies a PCA if, 
whenever execution of the fragment is begun in a state satisfying the precondition, then 
execution will terminate only in a state satisfying the postcondition. Thus, if binary 
relations are used as denotations of fragments, a PCA is satisfied by any relation R such 
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that if <q, D € R and q satisfies the precondition of the PCA, then r satisfies the 
postcondition. 


Besides being convenient for specifying the function that must be satisfied by a 
program fragment, partial correctness assertions can be used to construct a formal 
deductive system for reasoning about the behavior of program fragments. For a good 
overview of these "Hoare logics" of programs, see [Apt81]. 


The partial correctness assertion technique has been generalized with some 
success to systems of concurrent processes f[e.g. Owicki76]. However these 
techniques suffer from a lack of modularity in the sense that there is no notion of the 
behavior of a single process in isolation. Thus it is possible to specify the function of a 
complete parallel program, but not the behavior of its constituent processes. Although 
a logic of partial correctness assertions is used to prove that the behavior of a program 
satisfies its specification, the truth of PCA’s associated with one process cannot be 
determined, except within the context of the PCA’s for all other processes. 


Partial correctness assertions are canable of expressing only safety properties of 
the form: "Whenever control is at point P, then relation R holds on the program 
variables. In general, one is interested in liveness specifications as well. For sequential 
programs, often the only liveness specifications of interest are statements that the 
program is guaranteed to terminate under certain conditions. Liveness properties of 
this simple form can be handled by incorporating termination into PCA’s, as in Dijkstra’s 
calculus of "weakest preconditions" [Dijkstra76], or by techniques completely outside 
of PCA’s, such as Floyd's well-founded set technique [Floyd67]. For distributed or 
concurrent programs, it is almost always the case that more general liveness properties 
than simple termination are of interest, and these require alternative techniques. 


Data Type Specification 


The problem of describing the data objects manipulated by a program, especially 
the user-defined data objects, is usually referred to as "specification of abstract data 
types." There are actually two quite different problems that are addressed in the 
literature on abstract data type specification: the specification of immutable abstract 
data types, whose objects do not change their state during execution, and the 
specification of mutable abstract data types, whose objects have changeable state. 
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Specification of immutable abstract data types is the problem of describing and 
reasoning about static collections of values, functions, and relations. Usually a 
collection of interdependent immutable abstract data types is identified with the 
- mathematical notion of a heterogeneous algebra, and algebras are described either 
axiomatically, as in [Guttag78, Goguen78, Kapur80], or via set-theoretic constructions, 
as in [Abrial80]. Specification of mutable abstract data types, on the other hand, can be 
thought of as the problem of describing and reasoning about the dynamic behavior of a 
collection of objects that can be manipulated using a limited set of procedures 
[Guttag80, Wing83]. Berzins [Berzins79] models a mutable abstract data type as a kind 
of state machine, which describes how the states of the mutable data objects evolve as 
a result of the invocation of the procedures. 


The problem of specifying iinmutable abstract data types is not addressed by this 
thesis. In fact, the specification and proof techniques presented in this thesis assume 
as a prerequisite the ability to describe heterogeneous algebras and to perform 
reasoning about such algebras once they have been described. On the other hand, the 
problem of specifying mutable abstract data types can be viewed as a snecial case of 

.the general problem of module specification considered in this thesis, by thinking of a 
mutable abstract data type in terms of a "type manager” module, which encapsulates 
the objects of the data type and which performs manipulations on these objects in 
response to requests by the environment. Viewed in this way, the purpose of a mutable 
abstract data type specification is to describe the correct “observations” for the type 
manager module. The notion of observation appropriate here is that of a history of 
“events,” where each event records either a request for the type manager to perform 
some manipulation on the objects, or a reply indicating the results of some previously 
requested manipulation. 


1.4.2 Models of Concurrent Computation 


Quite a number of models have been proposed for investigating concurrent and 
distributed computer programs [Brock83, Hoare81b, Hoare81a, Greif75, Hewitt77, 
Kahn74, Keller76, Lynch81, Pratt82, Rounds81]. In this thesis as well, specific 
assumptions are made about how to model the behavior of such systems. It is 
necessary to make these assumptions to reach a point at which concrete example 
specifications can be written and correctness proofs performed. However, a conscious 


effort has been made to assume no more structure than is necessary for the results of 
this thesis. An attempt has been made to identify a few fundamental concepts that are 
required of any model, if it is to serve as a semantic foundation for the theory of 
specification developed here. 


The fundamental concepts identified in this thesis are the notions of interface, 
observation, behavior, abstraction, and composition. These concepts, which have 
already been informally discussed, are given formal definitions in Chapter 2. In this 
section, we will briefly review the features of a number of extant models of concurrency 
and attempt to identify the notions of event, interface, observation, behavior, 
abstraction, and composition used here with corresponding notions in each of the 
models. We will also be interested in whether each model is suitable as a semantic 
basis for a specification language -- in particular, whether the model can model is useful 
for specifications involving liveness properties. 


Kahn-MacQueen Processes 


Ataiier eieygant model of concurrent compuiation is the stream processing model 
of Kahn [Kahn74] and Kahn and MacQueen [Kahn77]. In this model, a process 
communicates with its environment through a collection of named channels. A process 
uses each channel either as an input channel or an output channel, but never as both. 
During execution, a process can read input values from input channels and emit output 
values on output channels. We can imagine observing a process throughout an entire 
execution and recording the sequence of values transmitted on each channel. Such a 
sequence of values, which can be either finite or infinite, is called a stream. A process is 
modeled by a continuous function fram tuples of input streams to tuples of output 
streams. The notion of continuity used here is derived from the fact that streams under 
the prefix ordering form a partially ordered set which is complete under limits of 
increasing chains. Processes are deterministic in the sense that to each input tuple /, 
there is precisely one output tuple O that can be produced by a particular process, 
when that process is supplied with input /. This is a consequence of the fact that 
processes are modeled by functions. 


In the stream processing model, the sets of input and output channels used by a 
process serve as the interface of that process. The role of an observation of a process 
is played by a pair </, O>, where / is a tuple of streams corresponding to the input 


-21- 


channels, and O is a tuple of streams corresponding to the output channels. The usual 
identification of a function with its graph permits us to view a process behavior f as the 
set of all observations of the form </, f(/)>. 


A process network describes how to compose a collection of processes to form a 
composite system. Formally, a process network defines a kind of fixed point 
construction that maps a collection of component process behaviors to a behavior for 
the composite network. These fixed point constructions comprise the composition 
operations. The composition operations used by Kahn and MacQueen include features 
of both composition and abstraction as defined here, in the sense that once two 
processes have been connected by a communication channel, the stream of values 
transmitted over that channel is no longer of interest, and is ignored. 


The Kahn/MacQueen model is unsuitable for the purposes of this thesis because 
it is incapable of representing processes with nondeterministic behavior. 


Nondeterministic Process Nets 


There have been several attempts to generalize the stream processing model of 
Kahn and MacQueen to incorporate nondeterminism. One such attempt is reported by 
Brock in [Brock83] (superseding the earlier version [Brock81] by Brock and 
Ackermann), where references to other attempts are given. In [Brock83], it is shown 
that the straightforward attempt to generalize the model of Kahn and MacQueen by 
permitting process behaviors to be relations, rather than functions, is doomed to failure. 
Intuitively, the reason is that the behavior of nondeterministic processes depends, in 
general, on the relative orders in which inputs are received and outputs produced. in 
essence, Brock’s approach is to replace the </, O> observations used by Kahn and 
MacQueen by scenarios. Scenarios include, in addition to the streams of values 
transmitted on each of the channels, a partial ordering that records some of the 
information concerning the temporal order in which values were transmitted. The 
behavior of a process is defined to be the set of all scenarios that the process can 
produce in its various executions. Brock shows how composition operations on 
scenario sets can be defined, in analogy to the operations on continuous functions 
defined by Kahn and MacQueen. 


Pratt's [Pratt82] “repackages" Brock’s model into a general framework for 
modeling processes and their composition, in which the behavior of a process is 
represented by the set of all traces (partially ordered multisets of events) it is capable of 
- producing. As in the models of Kahn/MacQueen and Brock, the interface of a process 
can be identified with the set of all events in which the process can participate. The 
notion of trace plays the role of an observation. The notion of the restriction of a trace 
to a subset of its events is used to define composition of process behaviors. Restriction 
mappings on traces play essentially the same role in Pratt's model as decomposition 
maps play in the model of this thesis. 


The models of Brock and Pratt admit the possibility of infinite scenarios or traces, 
and therefore do not a priori rule out the possibility of modeling processes that satisfy 
nontrivial liveness properties. However, this possibility is not addressed by either Brock 
or Pratt. Since we are interested in modeling processes with liveness properties, the 
models of Brock and Pratt are not suitable in their present state of development. 


Communicating Sequential Processes 


An important class of models of concurrency [Francez79, Hoare81a, Hoare81b, 
Rounds81] has been developed through attempts to give a formal semantics to the 
language of "Communicating Sequential Processes" (CSP) defined in [Hoare78]. In 
each of these models, the behavior of a process describes the traces (finite sequences 
of communication events) in which the process is willing to participate as it executes. 
The set of all events in which a process can ever participate plays the role of the 
interface of that process. The notion of a trace plays the role of an observation. 
Although the particular notion of process behavior is different for different models, each 
of the models of CSP contains a collection of algebraic operations on process 
behaviors, which are used to define the meaning of the various constructs of CSP. In 
particular, each model has some sort of "restriction" or "hiding" operations, which 
cause events to be deleted from a process behavior, and some sort of "relabeling” 
operations, which allow events of a process to be renamed. These operations are used 
for essentially the same purpose as the abstraction operations used in this thesis. Each 
model also has one or more "composition" operations (composition by intersection, 
composition by interleaving, or a mixture of the two) corresponding to the composition 
operators of this chapter, whose effect is to combine process behaviors in various ways. 
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The important considerations for models of CSP derive from a feature peculiar to 
that language. A CSP process can refuse to communicate with its environment. If a 
CSP process refuses to perform any of the communications offered by its environment, 
then deadlock is the result. The different definitions of process behaviors in the various 
models of CSP arise from attempting to deal with (or to ignore) the subtleties of refusals 
and nondeterminism. 


In [Hoare81b], a process behavior is a prefix-closed set of traces, which can be 
viewed equivalently as a behavior of the kind defined in this thesis. There are 
operations in [Hoare81b] for deleting and renaming the events of a process. These 
operations are examples of the abstraction operators used in this thesis. Process 
behaviors are composed by the parallel composition operator |], which is defined as 
follows: If A is the behavior of a process with interface E and 8 is the behavior of a 
process with interface F, then A |] B is the set of all traces u formed from events in E U F 
such that the restriction of u to E is in A and the restriction of u to F is in B. This notion 
of composition is a particular example of the composition operators defined in this 
thesis. 


Hoare, Brookes, and Roscoe [Hoare81a] extend the work of [Hoare81b] to deal 
with the problems of refusals and nondeterminism. They do this by permitting behaviors 
to be more highly structured objects than just sets of traces. In particular, a behavior is 
a set of pairs <s, X>, where s is a trace, and X is a set of events that can be refused by 
the process after the trace s has been produced. Although they use a single universal 
set of events for all processes, we can imagine designating the set of all events that 
actually appear in a process as the interface of that process. As in the model of 
[Hoare81b], traces play the role of observations. There are "Concealment" operators 
for deleting events, and "inverse image” operators that permit renaming of events. 
There are no “direct image” operators, apparently because they are not as well 
behaved as the inverse image operators. Two kinds of parallel composition operations 
are defined: composition by intersection, in which events of the component processes 
are connected, and composition by interleaving, in which the events of the components 
remain independent. 


Rounds and Brookes [Rounds81] attempt to justify and extend the work of 
[Hoare81a] in the following way: A definition of process behaviors is made that includes 
somewhat more information than that of [Hoare81a], and is based on supposedly more 
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fundamental intuitive considerations. A number of algebraic operations, including 
composition and abstraction, are defined on behaviors. A notion of “observable 
equivalence" of behaviors is defined, and is shown to be a congruence. The quotient of 
_ the algebra of behaviors with respect to this congruence is then shown to be isomorphic 
to the model of [Hoare81a], thus providing evidence that this model exactly captures the 
externally observable properties of processes. 


There seem to be problems associated with the use of models of CSP as a 
semantic basis for specification languages. These problems center around the 
following two questions: (1) Do traces represent a "complete" record of execution of a 
process, or simply some finite portion of such a record? (2) What is the meaning of a 
liveness specification such as “eventually event a will occur," if a process can be 
placed in an environment that refuses to permit the occurrence of event a? 


With respect to question (1), it is difficult to see how the designers of the CSP 
models could have intended traces to represent complete observations. This is 
because in general a complete observation will be infinite, but the CSP models provide 
no method for extracting infinite traces from behaviors. Without a distinction between 
complete and incomplete observations, we have no way to determine whether a 
particular CSP process satisfies a liveness specification. It is clearly ridiculous to 
require that a specification such as "eventually event ‘a will occur" be satisfied by all 
“incomplete” as well as all “complete” observations. 


Question (2) arises from a desire to "assign the blame" for an unsatisfied liveness 
specification, either to a process or its environment. If a process can always be placed 
in an environment that can prevent the occurrence of event a, then the only reasonable 
conclusion we can draw is that the specification “eventually a will occur" is too strong 
(i.e. inconsistent). However, it is not clear how to weaken such a specification so that it 
can be regarded as consistent. 


The above problems associated with the models of CSP have been avoided here 
as follows: First, it is assumed here that the observations in a behavior represent 
complete records of execution. Second, we accept the obvious conclusion that the 
specification "eventually a will occur" is inconsistent with respect to a model (such as 
the mode! of [Hoare81b]) that admits the possibility of refusals. Instead of trying to find 
ways to weaken specifications like this so that they can be regarded as consistent even 


in the face of refusals, though, we construct a model in which refusals are not allowed. 
This is the idea behind the |/O-behaviors constructed in Chapter 5 of this thesis. 


Calculus of Communicating Systems 


Rather similar to the models of CSP discussed above is the "Calculus of 
Communicating Systems," (CCS) of [Milner80]. As in CSP, the notions of a 
communication event and a sequence of communication events are the fundamental 
concepts for describing the behavior of a process. The role of a process interface is 
played, in CCS as in CSP, by the set of communication events in which the process is 
capable of participating. The CCS notion of an observation is a sequence of events; in 
contrast to CSP, CCS admits the possibility of infinite observations. 


To represent the behavior of a process, Milner introduces the notion of a 
communication tree whose paths represent all possible complete histories of 
communication for a process. In a communication tree there can be multiple arcs 
emanating from a single node, labeled with with the same communication event, and 
arcs Can be labeled with the speciai symbol 7, which represents an iniernai aciion of a 
process not associated with any communication event. Communication trees therefore 
contain more information about a process than just a simple set of traces. In fact, 
communication trees contain more information about a process than can be detected 
through composition with other processes. Milner addresses this problem by defining 
several notions of “observable equivalence” of communication trees, and shows that 
these relations are congruences for an algebra of processes whose operations include 
operations of composition and abstraction. He suggests that the class of process 
behaviors be obtained by forming the quotient of the algebra of communication trees 
with respect to one of these congruences. He is unable to reach a conclusion, though, 
as to which of the congruences is “best,” or to give explicit characterizations (not 
involving quotient constructions) of the quotient algebras. 


Although communication between two processes in CCS, as in CSP, is 
synchronized in the sense that it is represented by the simultaneous occurrence of 
communication events for the participating processes, communication in CCS is unlike 
that in CSP in the sense that a CCS process cannot prevent another process from 
performing an event. This is because the definition of the composition operation in CCS 
States that, if process A can perform an event a, and process A’ can perform the 
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“complementary” event a’, then the composition A || A‘ can perform either a, or a', or 
the communication represented by the simultaneous occurrence of both a and a’. 


The fact that observations can be infinite in CCS raises the question of whether it 
is possible to define CCS processes that satisfy interesting liveness properties. 
However, it seems that this possibility is ruled out by Milner’s composition operation. 
Milner’s composition operation is "unfair" in the sense that there are paths in the 
communication tree corresponding to the composition of two processes along which 
only one of the component processes gets to run. This means that no process can 
satisfy a specification of the form: "eventually a will occur," in an environment that has 
the capability of producing an infinite observation. 


Actors 


One of the earlier event-based models of computation is the actor model [Greif75, 
Hewitt77]._ An actor system consists of a collection of primitive computing agents 
(actors), that communicate by passing messages. A computation for an actor system is 
a patiiaiiy ordered set of events, where an event marks the arrivai of a message at its 
target. Receipt of a message activates the target actor, and may cause additional 
messages to be issued. The partial order represents a kind of temporal "precedes" 
relationship between events, formed by taking the transitive closure of the union of the 
“causes” relation and the “arrival” ordering, the latter of which linearly orders all events 
with the same target. Hewitt and Baker [Hewitt77] postulate certain laws that must be 
satisfied by the various orders. 


The actor model was originally applied [Greif75] to the specification of 
synchronization problems such as the mutual exclusion and readers/writers probiem. 
The specifications are written as axioms that constrain the possible computations of a 
system. The language used, although not formally defined, is essentially a propositional 
calculus in which the propositions are of the form "e — e',” which means that event e 
must precede event e' in any computation of a system satisfying the specification. 
Although no notion of state was used in the specifications, the language has 
nevertheless sufficient expressive power to handle several important examples. 


Subsequent work concentrated on applying the actor model to the specification of 
more complex systems, both distributed and centralized [Yonezawa77]. In contrast to 
the work of Greif, Yonezawa's specifications have a decidedly state-transition flavor, 
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and although proponents of the actor model consistently argue that global! state is not a 
well-defined notion for distributed systems, the "situations" used in Yonezawa’'s 
correctness proofs appear to be just such global states. 


In the actor model, the notion of an actor is generally defined by informal axioms 
and description, which are insufficient to answer the question: "What is an actor?" We 
must know the answer to this question if we wish to obtain a meaningful notion of the 
collection of all actors that satisfy a given specification, and to show the validity of rules 
for deriving consequences of specifications of actor systems. The question of what 
actors are has only recently been dealt with by Clinger [Clinger81], who defines actors 
and their computations directly in terms of set-theoretic constructs. It is interesting to 
note that, although actor enthusiasts like to point out that viewing computations as: 
partially ordered sets of events captures "true" concurrency better than linearly ordered 
computations, Clinger shows that the laws of Hewitt and Baker are in fact equivalent to 
the existence of a global linear ordering of events in a computation. 


To relate the actor model to the model used in this thesis, we can attempt to 
identify notions of interface, observation, behavior, abstraction, and composition in the 
actor model. There seems to be no obvious notion of the interface of an actor. The 
notion of a partially ordered set of events plays the role of an observation. Roughly 
speaking, Clinger defines the behavior of an actor to be a function that describes the 
actor’s response (i.e. its state change and message transmissions) to the receipt of a 
message. Although we can imagine composing a collection of independent actors into 
a composite system, there seems to be no formal notion in the actor model 
corresponding to such an operation. As mentioned above, the existence of the arrival 
ordering prevents the definition of an abstraction operation. 


The actor model has certain defects that render it unsuitable for a theory of 
specification. The major difficulty is that the actor model does not support abstraction 
of systems in a uniform way. There are notions of an actor and a system of actors, but 
no way to view a system abstractly as a single actor. The artificial “arrival ordering,” 
imposed on all events that occur at a single actor, is the primary feature that prevents 
abstraction from being defined in a reasonable way. Another reason is the fact that 
every message must contain the name of its target actor, since this means that it is 
never possible to completely suppress the internal structure of an actor system. 


Lynch/Fischer Processes 


In the model of distributed computation proposed by Lynch and Fischer 
{[Lynch81], the primitive objects are variables and processes, and systems of processes. 
A variable is a mailbox-like container for values, and a process is a kind of state machine 
that can perform input and output on variables. A system of processes consists of a 
collection of processes that communicate through variables. The variables of a system 
of processes are partitioned into external and internal variables. There is a kind of 
composition operation that combines a collection of systems of processes to form a 
larger system. There is aiso a kind of abstraction operation that transforms some of the 
external variables of a system into internal ones. 


A correspondence between Lynch and Fischer’s model and the model of this 
thesis can be established, if the notion of an event is identified with Lynch and Fischer’s 
notion of a "variable action." A variable action describes the change in the value of a 
variable resulting from a single execution step. The interface of a system of processes 
is the set of all variable actions it can perform. The behavior of a system of processes is, 
as Lynch and Fischer define, the set of all finite and infinite sequences of variable 
actions the system is capable of performing. To view Lynch and Fischer’s operation of 
composition of systems of processes as a special case of the composition operators 
defined here, it is necessary to account for the requirement that the actions on a single 
variable in the computation of a system have consistent values. This is easily 
accomplished if variables are thought of as active entities with an interface and a 
behavior. The interface of a variable is the set of all variable actions that can be 
performed on it. The behavior of a variable is the set of all finite and infinite sequences 
of variable actions in which the value read in each variable action equals the value 
written in the immediately preceding variable action. 


In terms of modeling power, the model of this thesis and that of Lynch and Fischer 
appear equivalent. Lynch and Fischer’s model is certainly capable of handling 
nondeterminism and liveness properties. The main advantage of the model of this 
thesis over that of Lynch and Fischer is that the former contains fewer primitive 
concepts. It is not necessary to draw distinctions between variables, processes, and 
systems of processes, and the definitions of composition and abstraction are simplified 
by avoiding these distinctions. 


1.4.3 Temporal Logic Specification 


Several authors [Hailpern80, Lamport83, Schwartz81] have proposed the use of 
temporal logic as a specification language and a vehicle for expressing correctness 
proofs. The use of temporal logic asa specification language evolved gradually from its 
use as an assertion language, that is, as a language for expressing properties of 
program executions [Pneuli77, Lamport80]. There is a subtle difference, though, 
between the semantics appropriate for temporal logic used as an assertion language 
and temporal logic used as a specification language. This difference, which has not 
been explicitly addressed in the literature,can be summarized as follows: Whereas 
temporal formulas as assertions express properties of single computations of a fixed 
program, temporal formulas as specifications express properties of the set of 
computations of an undetermined program. Stated another way, whereas a model for a 
temporal formula used as an assertion about a fixed program is a single computation of 
that program, a model for a temporal formula used as a specification is the set of all 
computations that can be produced by some program. This distinction has important 
fainifications for whal notion of consistency is appropriate in each case. A temporal 
formula used as an assertion about the computations of a fixed program is consistent if 
and only if there exists a computation of that program that satisfies the formula. A 
temporal formula used as a specification is consistent if and only if there exists a 
program, all of whose computations satisfy the formula. 


Another important issue that is not addressed explicitly in literature on temporal 
logic specification is the ability to specify a single module in isolation from particular 
program context.’ The notion of a program module satisfying a specification in isolation 
must be meaningful if specifications are to effect the beneficial separation between 
module use and implementation. Since extant work does not include the notion of the 
meaning of a specification in isolation, there has been no discussion of the following 
important question: How can we combine independent module specifications to perform 


1. Recent work [Barringer83], performed independently of the work described in this 
thesis, has begun to address some of the same issues, in particular: (1) temporal 
specifications express properties of sets of computations, rather than single 
computations, (2) specifications should have meaning that is independent of an 
enclosing context. 
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a proof of correctness? In particular, in what common language can the proof of 
correctness be expressed, and what deductions in this language are sufficient to imply 
the correctness of the implementation? 


Among the papers on temporal specification of concurrent program modules, the 
approach developed by Lamport [Lamport83] contemporarily with work on this thesis, 
results in specifications that appear most similar to the state-transition specifications 
described here. In Lamport’s approach, a specification consists of three parts: (1) A list 
of state functions, which define salient features of the program state; (2) A list of initial 
conditions, which represent assumptions on the initial values of the state functions; (3) 
A list of properties, which constitute the main body of the specification, and which can 
be viewed as standing for a collection of temporal logic formulas. The properties are of 
two kinds: safety properties and liveness properties. Safety properties describe the 
state transitions that are permissible for a program satisfying the specification, and 
liveness properties describe situations under which transitions are required. 


The way one writes a specification in Lamport’s approach is quite similar to the 
way one writes state-transition specifications as described in this thesis. At the 
semantic level, though, Lamport’s approach seems rather different. The difference can 
be summed up briefly as follows: In Lamport’s work, specifications for program 
modules play the role of assertions about the computations of a complete program in 
which the module appears. Whether or not a particular program module satisfies a 
specification can only be determined in such a context. In the framework presented in 
this thesis, whether a program module satisfies a specification can be determined 
without reference to any contextual information. 


The meaning of the state functions used in Lamport’s approach is obscure. 
Lamport says that state functions in a specification "should describe information that 
must be contained in the program state of any real implementation." This statement 
apparently implies that the value of the state functions is part of the observable behavior 
of the module being specified, and in this sense is just as important a part of a module 
specification as the relationship between the arguments passed and results returned 
from an invocation of an operation on the module. Choosing state functions that 
provide too detailed a view of the internal operation of a module can result in 
overspecification, since an implementer wishing to satisfy the specification is 
constrained to include enough information in the state so that the state functions can be 
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defined. 


This thesis resolves the problem of overspecification by introducing the notion of 
an interface. By defining a module interface, one fixes a particular class of module 
instances (i.e. the behaviors of that interface) which serves as a domain of discourse for 
the temporal specifications. In this thesis, a module interface is a set of events. An 
interface does not contain any notion of module state. States are used merely as a 
device for increasing the expressive power of the specification language to permit the 
desired properties of observations to be expressed in a convenient and natural way. 
Since states are not part of the module interface, the state set in a state-transition 
specification can be chosen on the basis of convenience, without danger of 
overspecification. 


Schwartz and Melliar-Smith have also proposed the use of temporal logic as a 
specification language. In [Schwartz80], specifications are developed for the 
alternating bit communication protocol. Appearing in these specifications are 
uninterpreted symbols such as "InQ" and "OutQ." These symbols, like the state 
functions used by Lamport, are evidently intended to refer to portions of the state that 
must be identifiable in any program satisfying the specifications. Schwartz and 
Melliar-Smith present collections of temporal axioms which they claim completely 
characterize the send and receive processes supporting the alternating bit protocol. 
There is little basis for this claim, since it is impossible to determine what a process is, 
much less determine whether the specifications characterize a particular process or 
class of processes. 


The axioms presented by Schwartz and Melliar-Smith involve complicated derived 
temporal operators such as "latches-until," which make the resulting specifications 
quite difficult to understand. The specifications have an ad hoc flavor, and it is difficult 
to obtain insight into how specifications for different examples would be obtained. In 
contrast, the state-transition approach discussed in this thesis suggests a systematic 
way of proceeding from an intuitive conception of the desired module behavior to a 
precise specification. Schwartz and Melliar-Smith present no proof that their send and 
receive process specifications correctly implement the service specification for the 
alternating bit protocol. Experience gained from the examples presented in this thesis 
suggests that specifications that have not been used in a proof of correctness are quite 
likely to contain errors. 
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Hailpern and Owicki [Hailpern80] propose a style of temporal logic specification 
that is different from the styles of Lamport and of Schwartz and Melliar-Smith. Hailpern 
and Owicki also use the alternating bit protocol as an example to illustrate their 
- approach to specification. In addition to symbols representing components of the 
internal states of processes in the system, Hailpern and Owicki introduce the notion of a 
history variable, whose value at any instant of time represents the entire history of 
communication between two processes up until that instant of time. They state 
explicitly that history variables are simply a descriptive tool, and are not intended to be 
implemented. History variables appear to be quite useful for writing high-level, 
nonprocedural specifications. For example, the safety properties satisfied by a 
transmission line could be expressed by stating that the history of messages delivered is 
always a prefix of the history of messages sent. 


The state-transition approach to specification presented in this thesis takes the 
history variable idea to its logical conclusion, by allowing arbitrarily structured history 
information (in the form of states), to be introduced into a specification, together with 
onerations for manipulating this information, This can he done differently for each 
specification, without change to the underlying semantic model. For example, the 
specification of the reliable transmission module presented in Chapter 6 uses the notion 
of the history of all messages input to the reliable transmission module. In the 
specification of the send protocol module in Chapter 6 it is convenient to define the 
notion of “the history of all messages for which acknowledgements have been 
received.” This history is a subhistory of the history of ali messages transmitted by the 
send protocol module, and would not be directly accessible in the model of Hailpern 
and Owicki. 


1.4.4 Specification of Communication Protocols 


The problem of specification of communication protocols has received a good 
deal of attention, and can be viewed as a special case of the more general problem, 
investigated here, of specification of modules in a distributed system. Two surveys of 
the protocol specification literature, written from different vantage points, can be found 
in [Sunshine78] and [Hailpern81]. 
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Of the numerous papers on protocol specification and verification, that of 
Bochmann [Bochmann78] appears to be most directly relevant to this thesis. 
Bochmann models a system as a collection of finite-state machines that affect each 
- other through coupled state transitions. This is highly analogous to the definition, given 
here, of composition of behaviors by identifying events. Bochmann also has a notion of 
abstraction by ignoring uninteresting transitions, which matches the concept of 
abstraction of behaviors used here. 


Schwabe [Schwabe81a, Schwabe81b] exploits the analogy between the 
instantaneous state of a communication protocol and a value of an abstract data type, 
to translate state-transition specifications of protocols into equational axioms that 
define an abstract data type. This translation enables him to verify correctness 
properties of communication protocols using an automated verifier (AFFIRM) originally 
intended for proving properties of abstract data types. However, only certain kinds of 
correctness properties can be stated and proved using his technique. in particular, 
liveness properties cannot be handled. Schwabe pays little attention to the semantics of 
his specifications, leaving some amhiguity as to what objects satisfy a specification, and 
what consitutes correctness of a protocol. 


It is interesting that the notions of hierarchy and modularity of systems, and the 
prerequisite Concept of the interface of a system with its environment, are much more 
prominent in the literature on protocol specification than they are in the literature on 
specification in general. In protocol specification, a system is viewed as a nested set of 
layers: the bottom level corresponds to the communication hardware, and each layer 
provides an abstract service to the next higher layer. The top level implements the 
service provided to the “end user." Typically the service provided by a level can be 
viewed as an abstract communication network connecting two users, which often have 
an asymmetric sender/receiver relationship. Higher levels of abstraction are 
implemented by interposing protocol! processes between the users and the 
communication service provided by the next lower level. The interface between the 
users and a service comprises the set of operations (e.g. open connection, send 
message), they can perform. A distinction is drawn between the specification of an 
abstract service provided to a user (the service specification) and a description of the 
protocol processes (the protocol! specification). 
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There are only a few specific correctness properties of interest for communication 
protocols: freedom from deadlock, completeness (i.e. definedness of the protocol in 
every reachable state), progress, and stability in the face of unexpected perturbations of 
- the protocol. These properties are certainly also of interest for more general kinds of 
distributed systems. All verification techniques in the communication protocol literature 
are ultimately based on representing the protocol processes and abstract 
communication media as _ finite-state machines, constructing a combined 
state-transition graph for the implementation, and performing various analyses on this 
graph. The state-transition approach to specification and verification is a natural 
generalization of this technique. It should be noted, however, that the machines used in 
the state-transition specifications in this thesis are not necessarily finite-state, and that 
reachability analysis of a system is performed by proving predicates to be invariant, 
rather than by explicit construction of the combined state-transition graph. This means 
that the proof techniques discussed in this thesis need not be subject to the 
combinatorial explosion problem often referred to in the literature on protocol 
verification. 


1.4.5 Other Concurrent System Specification Techniques 


Chen [Chen81, Chen82] develops a concurrent system specification language 
called EBS (Event-Based Specification Language), and gives specifications for a 
number of examples, including the alternating bit protocol. The EBS language can be 
thought of as a generalized version of the language used in [Greif75] to specify various 
synchronization problems. An EBS specification expresses properties of an event 
history, which is a partially ordered set of events. The EBS notion of an event history 
corresponds to the notion of an observation used in this thesis. 


Chen’s work seems to be motivated by a number of the same concerns that 
motivated this thesis. In particular, Chen discusses the distinction between the user's 
view and the designer’s or implementer's view of a system, and introduces a notion of 
interface to capture the way in which a system interacts with its environment. In Chen’s 
approach, a module interface consists of a collection of ports. There is a notion of 
module interconnection by identifying ports, which is reminiscent of the composition 
operations used in this thesis. Chen’s work does not, apparently, include a notion of 
behavior, or the idea that a module specification has meaning except with respect to a 


complete program context. Chen does not have a semantic definition of the 
correctness of an implementation from which the soundness of proof techniques can be 
derived. Rather, the notion of correct implementation seems to be identified with the 
notion of logical consequence. 


An interesting property of Chen’s specifications is that they tend to be 
“orthogonal.” An orthogonal specification is a specification that is composed of a 
collection of independent subspecifications. For example, Chen defines a number of 
different properties of a reliable transmission system, such as "no loss of messages," 
“no duplication of messages,” and “no erroneous messages.” It is not obvious how the 
State-transition technique presented in this thesis could support the writing of 
specifications with a comparable orthogonality property. 


The Gypsy system [Good79, Good82] has some capability for the specification and 
verification of distributed systems. In the Gypsy model, a distributed system is viewed as 
a collection of independent processes that communicate through message buffers. 
Specifications of the communication function performed by a process are expressed in 
terms of properties of "buffer histories," which represent the sequences of messages 
transmitted on, or received from message buffers. Gypsy seems capable of handling 
only safety properties. 


Correctness proofs in Gypsy are performed by deriving a collection of verification 
conditions from annotated program text, and then proving the validity of these 
verification conditions using a semi-automatic theorem prover. Evidently the validity of 
the verification conditions is taken as the definition of correctness; the literature shows 
no attempt to justify the sufficiency of the verification conditions in terms of any 
fundamental model of computation. Reasoning about the behavior of a system of 
processes in Gypsy is done in terms of relationships between buffer histories. The 
approach appears similar to Hailpern and Owicki’s history variable approach. 


An outgrowth of the Gypsy work is the work of DiVito [DiVito82], which is 
concerned with the description and mechanical verification of communication 
protocols. DiVito’s specifications contain liveness properties only, and are expressed in 
a decision table style that captures much the same information as the definitions of 
state-transition relations presented in this thesis. The purpose of DiVito’s work seems to 
be to quickly reach a point at which experimentation with mechanical verification is 


- 36 - 


possible. His focus is primarily on linguistic issues, rather than their semantics. 


Lansky and Owicki [Lansky83] have developed a language, called GEM, for the 
specification and verification of properties of concurrent systems. The underlying 
mode! of computation is an event-oriented model similar to the actor mode! [Greif75, 
Hewitt77], in which a computation of a system is represented as a set of events plus 
various relations on this set. The enable relation captures the notion of necessary 
temporal precedence, or causality, between events. The element partial ordering 
captures the notion of incidental temporal precedence, where one event precedes 
another because they happen to occur at the same point in space. The temporal partial 
ordering is the transitive closure of the union of the enable relation and the element 
ordering. Besides the notion of an event and the relations on events discussed above, 
GEM includes a number of additional primitive notions. An element corresponds to a 
locus of activity or point in space. A group is a set of elements and other groups, which 
is used to collect semantically related objects. History sequences are certain increasing 
sequences of computation prefixes, and are used as a domain of interpretation for 
temporal logic formulas. Threads are a mechanism for dynamically grouning a 


sequence of related events. 


The issues considered by GEM seem largely orthogonal to those examined in this 
thesis. The design of GEM seems to have been motivated primarily by a desire to 
describe, within a common framework, the semantics of a number of primitives of 
concurrent programming languages. For example, monitors and the CSP 
communication primitives are discussed. In contrast, this thesis is not concerned with 
the description of programming language primitives, although this is a problem that 
must ultimately be addressed. A GEM specification describes constraints on 
computations of a single program, whereas in this thesis a specification is viewed as 
describing constraints on the entire set of computations of an undetermined program. 
GEM apparently does not include any notion of behavior, composition, or abstraction. 


Yonezawa [Yonezawa77] develops techniques for the specification and 
verification of parallel programs, based on the actor model of computation. The central 
concepts used in these techniques are the notions of a conceptual state, and a 
Situation. A conceptual state is a summary of the past communication history of an 
actor, and corresponds closely to the conceptual states used in the state-transition 
specifications of this thesis. A situation assigns a conceptual state to each actor in a 


system, and is used in verification in much the same way as the state of the "composite 
machine" is used in this thesis (see Chapter 3). The notion of an implementation 
invariant appears in Yonezawa’s work, and plays roughly the same role there as it does 
- in this thesis. Yonezawa’s model seems to incorporate a notion of hierarchy of 
abstraction, in the sense that it is possible to view a system both at a more detailed level, 
where there is a larger collection of events and more detailed states, and at a less 
detailed level, where only a subset of the events is considered and less information is 
contained in the states. 


Yonezawa’s specifications look very much like the definitions of state-transition 
relations used here, in the sense that a specification describes, for each possible event, 
a precondition on the state that must hold for an event to occur, and a postcondition 
that describes the state that results after the event occurrence. The semantics of the 
event/precondition/postcondition triples used by Yonezawa seems to differ from their 
counterparts in this thesis, in the sense that if the precondition of an event ever holds, 
then that event must eventually occur. Thus, Yonezawa’s formalism appears, to a 
certain extent, to be capable of expressing liveness nroperties. 


There are three major deficiencies with Yonezawa’s work, which are improved 
upon in this thesis: 

(1) The semantics of Yonezawa’s specifications are defined informally in terms 
of the actor modei, whose precise definition is somewhat obscure. It is therefore not 
possible to address rigorously the question of what constitutes correctness in 
Yonezawa’s model, and to show that his proof techniques suffice to prove correctness. 

(2) The actor model lacks a useful notion of modular decomposition. In 
particular, there is no reasonable way to view a system of actors as a single actor. 

(3) Yonezawa’s techniques can handle only a very limited form of liveness 
property in specifications and proofs; namely, those of the form: "If the precondition of 
an event holds, then eventually that event must occur." 


2. Framework for a Theory of Specification 


The purpose of this chapter is to construct a framework of definitions that is 
. suitable as a foundation for a theory of specification. We present and motivate formal 
definitions of the notions, discussed informally in Chapter 1, of "interface," 
“observation,” “abstraction,” "decomposition," "implementation," and "correctness." 


2.1 Interfaces, Observations, and Behaviors 


An event is an observable instantaneous occurrence during the operation of a 
computer system. If one were to examine a particular computer system in microscopic 
detail, the events of a system could be identified with physical events, such as voltage 
changes on signal lines. However, we are generally not interested in such a large 
amount of detail, and instead regard large classes of physical events as equivalent and 
indistinguishable. Examples of such equivalence classes are: the event in which 
process A submits a message to a transmission system for delivery to process B, the 
event in which the variable x is set to three, and the event in which the synchronizer 
module receives a try request from user process p. 


The first step in modeling a particular system is to identify and classify the 
interesting instantaneous occurrences. As a result of this procedure, we associate with 
each system and each particular level of abstraction at which the system is to be 
viewed, an "interface," which represents the set of all possible instantaneous 
occurrences of interest at the given level of abstraction, plus a single element A, which 
represents all uninteresting occurrences. Lower levels of abstraction (those that 
incorporate more detail) are characterized by larger interfaces, corresponding to finer 
classifications of the instantaneous occurrences, whereas higher levels of abstraction 
are associated with smaller interfaces, corresponding to coarser classifications. 


Definition - An interface is a structure <E, Ap ...», where E is a set whose elements are 
called events, A, Is a distinguished element of E calied the null event, and the ellipsis 
indicates that further structure may be present. 8 


We use the symbo! E to denote both the entire structure and the underlying set of 
events. When the interface E is clear from the context, we will omit subscripts, writing A 
instead of A,. 


in general, an interface E will have additional structure besides the distinguished 
element A,. For example, in Chapter 5 we will be concerned with interfaces of the form 
<E, A,, In,, Out,>, where In, and Out, are subsets of E called the sets of “input events” 
and “output events,” respectively. Except for the material in Chapter 5, the only 
Structure required is the existence of the distinguished null event A,. 


If E is an interface, then let E* denote the set of all finite strings, and E™ the set of 
all finite and infinite strings, on the alphabet E - {A,}. It is convenient to view E as a 
subset of E* and E™, where the element A, of E is identified with the unique string of 
length zero, and each non-A element e of E is identified with the corresponding string e 
of length one. 


In the synchronizer example, the interfaces are defined as follows. Let Proc be the 
set of user processes. The synchronizer module has interface E™ = {try fun, rest,: p 
€ Proc} U {A}. A synchronizer component module has interface ES° = {), try, run, 
rest, token_in, token_out, request_in, request_out}. 


To describe the functioning of a system during a single execution, we postulate 
the existence of ‘an omniscient observer, outside of the system under consideration. 
The observer is able to watch the operation of the system and compile a complete 
record of the events that occur, along with their time of occurrence. We refer to this 
record, the structure of which will be precisely defined below, as an "observation." An 
observation is a function that maps each instant of time t in the interval [O, 0%) to the 
event that occurs at time t. 


We assume that at most finitely many non-A events can occur in any bounded 
interval. This assumption, which is used to permit inductive reasoning about 
observations, seems reasonable if we think of a computer as executing in discrete steps 
taken at a finite rate. The fact that an observation is a (single-valued) function implies 
that at most one event occurs at each instant of time. This is not to be interpreted as a 
fact about real-world systems, but rather as part of the definition of the term "event." 
That is, by definition no more than one event occurs at any instant. To model a situation 
in which a number of primitive occurrences can happen simultaneously, we must use an 
interface that contains one event for each possible combination of primitive 
occurrences. 


The reason why we define observations as functions from [0, 0) to events rather 
than simply as sequences of events (and in Chapter 3 define computations on [0, 00) as 
well), is a technical one. We shall often be interested in composing a collection of 
observations, one for each component module in a system of modules, to obtain a 
single observation of the composite system. If observations are defined to be 
sequences of events, then composition of observations corresponds (in the special 
case that the component modules do not interact) to interleaving of sequences. For 
example, if a module M, can produce the sequence of events ab and module M, can 
produce the sequence of events cd, then the composite system consisting of modules 
M, and M, can produce the interleaved sequence of events acbd. The feature of 
interleaving that is inconvenient for our purposes is the fact that the indices of events 
change under interleaving. That is, the event b appears as the second event in the 
sequence ab, but as the third event in the sequence acbd. The definitions of 
observation and composition we use have the more convenient property that an event 
appearing at time t in an observation for module in isolation always corresponds to the 
event appearing at time t in a composite observation. 


Definition - An observation over an interface E is a function x: [0, 00) — &, such that 
x(t) # A for at most finitely many t in each bounded interval. § 


Let A denote the identically X observation, and let Obs(E£) denote the set of ail 
observations over E. If x € Obs(E), and a € [0, ©), then tet [x] denote the function that 
maps each t € [0, ©) to the the (finite) string of non-A events that occur during the 
interval [0, t) in x. Let suffix,(x) be the observation y € Obs(E) such that y(t) = x(t + a) 
for all t € [0, 00). 


By collecting the set of all observations that can be produced by a system in 
various environments, we obtain the "behavior" of that system. 


Definition - A behavior of interface E is a subset of Obs(E). 


Let Beh(E) be the set of all behaviors of interface E. 
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2.2 Abstraction, Decomposition, and Interconnection 


In this section, we show how the concepts of hierarchy of abstraction and modular 
decomposition can be captured through the use of certain mappings between 
interfaces, which we call "translations," and the corresponding mappings they induce 
on observations. 


Definition - A translation from an interface E to an interface F is a function h: E -— F 
such that h(A,) = A,. A translation h from E to F extends in a natural way to a function 
h: Obs(E) — Obs(F), under the definition h(x) = hex. i 


The concept of an "interconnection," defined below, is the formal notion 
corresponding to a diagram like Figure 2. Intuitively, an interconnection consists of of 
an “abstraction map," which captures the relationship between a more concrete and a 
more abstract view of a system, and a “decomposition map," which captures the 
relationship between a composite system and its component modules. An abstraction 
map is simply a translation from the interface corresponding to the concrete view, to the 
interface corresponding to the abstract view. A decomposition map is a collection of 
translations that shows how the events for the composite system are decomposed into 
events for the component modules. 


Definition - An interconnection is a pair 3 = <a), <B> eps where a’: EI + Diisa 
translation, / is a finite index set, and each 8°: EI» F? is a translation. The interfaces FA 
are the component interfaces of J, the interface EI is the composite interface of J, and 
the interface D? is the abstract interface of 3. The translation a is the abstraction map 
of 5, and the vector 85>, is the decomposition map of 5. § 


In the sequel, underlining will be used to denote a vector of objects; thus we write § J for 
the vector «83>. r 


The synchronizer implementation yields an example of an interconnection. The 
content of Figure 2 is formalized by the interconnection <a™', § >, where ESM! aS: 
ESM! _, ESM and eM, ESM! _, ESC, p € Proc, are defined below. 


The composite interface for the synchronizer module implementation is ES’ = 
{try,: run, rest, token > Fequest,: p € Proc} U {A}. 
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The decomposition map § ™! projects or decomposes each event for the 
composite interface into corresponding events for the synchronizer component 
modules. The events try,, run, and rest, in ESM! decompose to try, run, and rest events 
of the pth synchronizer component module. The events token, and request, of ESM! 
represent interaction between the pth synchronizer component module and_ its 
neighbors in the ring. Specifically, the event token, represents the joint occurrence of a 
token_out event for the pth synchronizer component module, and and a token_in event 
for the p + 1st synchronizer component module. Similarly, the event request, represents 
the joint occurrence of a request_out event for the pth synchronizer component module 
and a request_in event for the p-~1st synchronizer component module. Formally, 


bM\(e) = try, ife = try, 
= run, ife = run, 
= rest, ife = rest, 
= token_in, ife = token, , 
= token_out, ife = token P 
= request_in, ife = request, ., 
= request_out, ife = request, 
=X, otherwise. 


The abstraction map a! preserves events in which the system of synchronizer 
component modules interact with the user processes, but deletes (i.e. maps to A) events 
corresponding to internal interaction between synchronizer component modules. 
Formally, 

alg) = e, if e € {try,, run, rest,: p € Proc}, 
=\, ife € {token,, request,: p € Proc} U {A}. 


We assign intuitive significance to some of the operators on behaviors that are 
naturally induced by abstraction and decomposition maps. 


The direct image operator associated with an abstraction map takes a behavior of 
a system viewed at a more concrete level, and produces the corresponding behavior of 
that system viewed at a more abstract level. 


Definition - The abstraction operator associated with a translation a: E — D, is the 
function, also denoted by a, that maps each behavior B € Beh(E) to the direct image 
a(B) € Beh(D). We refer to the behavior a(B) as the abstraction of B under a. 8 


The inverse image operator induced by a decomposition map models the 
operation of composing a collection of component module behaviors to produce the 
corresponding behavior of the composite system. Intuitively, if S is a system consisting 
of component modules <M>,_,, then S can produce all and only those observations x 
that, when decomposed, match observations that each M,can produce. 


Definition - The composition operator associated with the vector § of translations is 
the function, denoted by § “', that maps a vector <B>,,,, where B, € Beh(F,) for each i € /, 
to a behavior 8°'(B ) € Beh(E), under the definition: 

5‘(B) = {x € Obs(E): 8(x) € B, for all / € /}. 
Thus, the set § “'(B ) contains an observation x € Obs(E) iff 5,(x) € 8, for alli € 1. We call 
this set the composition of B under §. 8 


2.3 Specification, Implementation, and Correctness 


In practice a specification will take the form of a string of symbols in a formal 
specification language, since it must be possible to write down a specification. 
However, since this thesis is not concerned with the details of a particular formal 
language in which specifications are to be expressed, it is convenient to adopt a more 
liberal view: A specification is any mathematical object that denotes, in a well-defined 
way, an interface and a set of behaviors of that interface. 


Definition - A specification language is a triple <Specs, &, >, where Specs is a set of 
specifications, & is a mapping that assigns an interface &(S) to each specification S € 
Specs, and & is a mapping that assigns a set &(S) C Beh(&(S)) to each specification S € 
Specs. We say that S is a specification of interface &(S), and that each B € B(S) satisfies 
S. 8 


An interconnection describes the pattern of interaction between modules in a 
system in analogy to the way a program scheme describes the flow of control between 
uninterpreted statements. It makes no sense to speak of an interconnection as 
"correct" or “incorrect,” since an interconnection includes no information about the 
behaviors of the component or abstract modules. However, if we provide an 
interpretation for the modules by augmenting an interconnection with specifications of 
the abstract and component module interfaces, it does become meaningful to speak of 
correctness. We use the term "implementation" for an interconnection augmented with 


specifications. 


Definition - An implementation is a tuple <3, S,.., <S>i<P; where J is an 
interconnection, S,.. is a specification of interface Dd, and S, is a specification of 
interface F), foreach i€ |. 


An implementation is correct if, whenever acceptable behaviors are plugged in for 
the component modules, then the resulting abstract module behavior is also 
acceptable. The composition and abstraction operators associated with the 
interconnection formalize the notion of "plugging in.” 


Definition - An implementation <3, S,.., <S>i¢P is correct If a50(§ 4-(B ) € BS...) 
whenever B, € B(S,) for eachi€/. # . 


3. State-Transition Specifications 


In this chapter, we will investigate a particular approach, called "“state-transition 
specification,” to the derivation of module specifications. In this approach, we imagine 
that at any instant of time a module can be thought of as being in one of a number of 
conceptual states. Associated with each conceptual state is a collection of events that 
can occur in that state, and a description of the state change that results from the 
occurrence of each of those events. Thus, a state-transition specification describes the 
desired functioning of a module in terms of a kind of machine that generates an 
observation as it executes. It is important to note that the conceptual states in a 
state-transition specification are merely a tool for describing the desired functioning, 
and need not have anything to do with the "real" state present in any particular module 
instance that satisfies the specification. 


The properties captured by the state-transition technique discussed here are 
divided into two classes: "local" properties, which concern the relationship between an 
event and the conceptual state of the module immediately preceding and immediately 
following the occurrence of that event, and "global" properties, which relate events and 
states perhaps distant from each other in time. Local properties are of the form: "An 
event e can occur only if the state of the module satisfies P, and if e occurs, then the old 
State and new state of the module are related by the binary relation R." Examples of 
global properties are "eventuality" conditions of the form: "If the module is now ina 
state with property P, then eventually event e will occur." Local properties are specified 
by a machine as mentioned above. Global properties are specified by defining a set of 
“validity conditions” on computations of the machine. The set of computations that 
Satisfy the validity conditions is called the set of "valid" computations. 


The reason for investigating state-transition specifications is that they appear to 
provide a natural, straightforward strategy for turning an intuitive understanding of the 
desired function of a module into a formal specification. This strategy consists of the 
following steps: 

(1) Define an appropriate set of conceptual states. For example, in the 
specification of the abstract synchronizer module, a state is a vector that tells for each 
user process whether the synchronizer module thinks that process is trying, running, 
resting, or in error. 

(2) Define a set of initial states, in which the module begins execution. For the 


synchronizer module, there is a single initial state in which all user processes are 
resting. 

(3) Define, for each event, the conditions required on the state for the 
occurrence of that event to be possible, and the state changes associated with an 
occurrence of that event. For example, a "run" event for process p can occur only if p 
is trying and no other process is currently running. Occurrence of a "run" event causes 
the state of p to change to "running" and leaves the states of all other processes 
unchanged. 

(4) Define the desired global properties for the module. For the synchronizer 
module, we wish to require that every user request eventually result in a corresponding 
reply, if possible. 


Besides serving aS a natural vehicle for formalizing specifications, the 
state-transition approach also provides a strategy for performing correctness proofs. 
The Correctness Theorem (Theorem 3.9) gives sufficient conditions for correctness that 
exploit the machine structure of the specifications. 


This chapter is organized as follows: In Section 3.1 the notion of "subset 
specifications," of which state-transition specifications are an example, is introduced. 
In Section 3.2 the machines used in state-transition specifications are defined, and in 
section 3.3 some tools for reasoning about their computations are developed. The 
notion of a state-transition specification is defined in Section 3.4. In Section 3.5 the 
Correctness Theorem, which is the main result of this chapter, is proved. Section 3.6 
shows that the Correctness Theorem is a natural generalization of the “possibilities 
mapping" proof technique of Lynch [Lynch83] and Goree [Goree81]. Section 3.7 
shows how the proof technique suggested by the Correctness Theorem can be further 
systematized in the case of state-transition specifications whose sets of valid 
computations have been defined by "rely-/guarantee-conditions.” 


3.1 Subset Specifications 


As discussed in Chapter 2, a specification S of interface E defines a set B(S) of 
behaviors of interface E. In general, we might look for specification techniques that are 
capable of expressing arbitrary properties of behaviors. However, in practice it appears 
that the properties of behaviors we wish to express in a specification are nearly always 
of a special form. That is, it is nearly always the case that we wish to express universal 
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properties of the observations in a behavior, of the form: "Every observation x in B has 
property P," where P is a property of observations. This means that in practice it is 
usually not necessary to have a specification technique that is powerful enough to 
express arbitrary properties of behaviors. Rather, a less powerful technique, which is 
capable only of expressing properties of observations, suffices. The state-transition 
specification technique introduced in this chapter is of this less powerful variety. 


Definition - Aspecification S of interface E is a subset specification if there exists a set 
0(S) C Obs(E) such that B(S) = {B € Beh(E): B C O(S)}. 


For the rest of this thesis we will be concerned only with subset specifications. To 
see what we give up by restricting our attention to subset specifications, let us consider 
some examples. Examples of properties of behaviors that can be expressed as subset 
specifications, that is, as universal statements about observations in a behavior B, are 
the following: 

- Every observation in B contains at most finitely many occurrences of non-A 
events (that is, computation always quiesces). 
In every observation in B, either each occurrence of a try event for process p 
is ultimately followed by a run event for process p, or else there is a point in time after 
which some process is in the "running" state forever. 


Examples of properties of behaviors that cannot be expressed as subset 
specifications, and hence cannot be captured by the state-transition approach 
discussed here are: 

- There exists an observation in B that contains at most finitely many 
occurrences of non-A events (there exists a quiescing computation). 

- If x is an observation in B and t € [0, &), such that [x](t) = u, then there is an 
observation y € B and at’ € [0, ©0) such that [y](t’) = ue. (if the module is capable of 
doing u, then it is also capable of doing ue). 

- If x is an observation in B, and f is an order-isomorphism from [0, ©) to 
[0, ©), then xef is also an observation in B (the module is asynchronous, or 
timing-independent). 


Because the properties of behaviors defined by subset specifications are really 
just “lifted” properties of observations, the definition of correctness of an 
implementation that involves subset specifications has an equivalent statement in terms 


of observations. 


Lemma 3.1 - Suppose that <J, Sabs' “ier iS an implementation, where S,,, and each 
S, is a subset specification. Then <3, S,,,, S >is correct iff a49(8 4)(<O(S)>¢) C O(S 54,9): 


Proof - => Suppose <3, S,,., S > is correct. Suppose that x € Obs(E4) is such that 53(x) 
€ O(S)) for each i € J. Then the behavior {x} is the composition under § J of the vector of 
behaviors <{54(x)}>,¢, and the behavior {a%(x)} is the abstraction under a’ of the 
behavior {x}. Since the behavior {8(x)) satisfies S, for each i € /, it follows by 
correctness that the behavior {a°(x)} satisfies S,,.. Thus a(x) € O(S,,.). 


<= Suppose that a%0(g %)(<0(S)>,¢,) C O(S,,,). For each / € J, suppose that 8; is 
behavior that satisfies S, Then B, C O(S). Let B,,, = a49(8 4y(B ). Then B,,, is a 
subset of O(S 46) by hypothesis, and hence Hence B abe satisfies S abs" | 


3.2 Machines and Computations 


In this section, we detine a kind of nondeterministic machine that generates an 
observation in each of its computations. 


Definition - A nondeterministic event machine (or just machine" for short) M consists 
of: 

- An interface E,, 

- Aset Q,, of states. 

- Anonempty set Init,, C Q,, Of initial states. 

- Arelation Trans,, C Steps(E,,, Q,,) = Q,, X E,, X Q,,, called the 
State-transition relation, such that for all q € Q,,, the null step <q, A, q> € Trans,,. & 


If E,, = E, then we say that M is a machine of interface E. 


The state-transition relation Trans,, of a machine M has a natural extension 
Trans,,* that applies to strings of events, rather than just single events. Formally, define 
Trans,,* € Q,, X E,,* X Q,, to be the least relation containing Trans,,, and having the 
following closure property: If <q, u, > € Trans,,* and <r, v, s> € Trans,,*, then <q, uv, > 
€ Trans,,*. (Recall from Section 2.1 that we identify the null event A, with the empty 
string.) 
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Definition - A state q € Q,, is reachable by M if there exists a state q, € Init,, and a 
string u € E,,* such that <q,, u, q> € Trans,,*. 


Suppose that R C Q,,. Then R is inductive for M if 
(1) Init, CR. 
(2) For all <q, e, > € Trans,,, ifq €R thenr€ AR. 
We say that A is invariant for M if it contains all reachable states of M. The following 
extremely important induction principle is a standard technique (see, e.g. [Keller76]) for 
proving properties of reachable states. 


Lemma 3.2 (Induction Principle) - Suppose M is a machine, and that R C Q,,. If R is 
inductive for M then R is invariant for M. 


Proof - Straightforward. 1 


Ordinarily, a computation of a machine might be defined to be a pair consisting of 


a state sequence q,, q,, ... , and an event sequence @,, @,, ... such that each step 
<A, On Teg p satisfies the state-transition relation. Intuitively, q, and q, ,, represent the 


states "just before" and “just after" the occurrence of the event e,, respectively. To 
define a computation in which the notion of an event sequence has been replaced by 
that of an observation, we generalize the notion of a state sequence to that of a "state 
function,” which assigns a state to each nonnegative real number, in such a way that 
the notion of state "just before” and “just after" each point ¢ € [0, °°) is meaningful. 


Definition - A state function over a set of states Q Is a function f: [0, 0) - Q such that 
for all t € (0, 00), there exists e, > O such that f is constant on the intervals [t-e,, t] 9 
[0, 00) and (t, t+e,]. i : 


We write f(t*) as an abbreviation for the constant value of f on the interval (f, t+ ,), 
which intuitively represents the state “just after" time t. The state at and also "just 
before" time t is represented by the value f(t). 


Definition - A history over an interface E and state set Q is a pair X = <Obs,, State,>, 
where Obs, is an observation over E, and State, is a state function over Q. Let 
Hist(E, Q) denote the set of all histories over interface E and state setQ. 8 
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If X € Hist(E, Q) and t € [0, 00), then define the step occurring at time t in X by: 
Step,(t) = <State,(t), Obs,(t), State,(t*)>. 


The generalization of the ordinary definition of a computation is now 
straightforward. 


Definition - A computation of a machine M is a history X € Hist(E,,, Q,,) such that 
(1) State,(0) € Init, 
(2) Step,(t) € Trans,, for all t € [0, 00). 

Let Comp(M) denote the set of all computations of M. il 


if V is a set of computations of M, then define Obs(V), the set of all observations 
generated by V, by Obs(V) = {Obs,: X € V}. 


3.3 Properties of Histories 


The purpose of this section is to develop some machinery for passing back and 
forth between histories and "history skeletons," which are sequences of steps plus 
timing "information. Each history skeleton naturally defines a unique history. 
Conversely, given a history X we can extract (though not in a unique way) a history 
skeleton by restricting Step, to a suitable subset 7 of [0, 0). Whereas histories have 
convenient behavior under projection, history skeletons are more useful for performing 
computational induction arguments. 


Definition - A skeletal sequence is a monotone increasing sequence th<t)<. of 
elements of [0, ©©), such that tp = O and t, > 0 as k - 00. A Skeletal sequence 7 = 
<t,>,ey Spans a history X if for each k € N, Obs, is identically A and State, is constant on 
the interval (t,,t,,,). § 


Note that by the properties of a state function, if State, is constant on the open interval 
(t,.t,, ,), then State, is also constant on the right-closed interval (t,, t, , J 


Lemma 3.3 - Suppose X is a history. Then there exists a skeletal sequence that spans 
X. 


Proof - Let T = NU {t € [0, 00): Step,(t) is nonnull}. The proof that 7 is a skeletal 
sequence that spans X uses the defining properties of observations and state functions, 
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plus the compactness property of the closed, bounded subsets of [0, 00). The details 
are omitted. § 


Corollary 3.4 - Suppose <X>., is a finite collection of histories. Then there is a 


skeletal sequence T that spans all the X,. 


Proof - For each i € /, let T, be a skeletal sequence that spans X,, and define T = U,¢, T,. 
The finiteness of / implies that 7 has order type w, and is hence a skeletal sequence. It is 
obvious that T spans each X,. § 


Definition - A history skeleton over an interface E and a state set Q is a function f: T — 
Steps(E, Q), where T = <t,>,¢y iS a Skeletal sequence, such that if f(t,) = <q, @,. 7, for 
each k € N, then r, = q, ,, for all k € N. The history skeleton f spans a history X if T 


spans X and fis the restriction of Step, toT. 8 


Lemma 3.5 - Suppose that f is a history skeleton over E and Q. Then there is a unique 
history X over E and Q such that f spans X. 


Proof - Suppose f: T -> Steps(E, Q), where T = <t,>,-y. Suppose f(t,) = <q, 6,59, , 4?» 
The requirement that f spans X defines X uniquely: 
Obs,() =e, iff =t, 
=, otherwise. 
State,() = 9), iff =0 
=O, HIE (t,, thal: 
it is easy to see that X is a history. @ 


Lemma 3.6 - Suppose X is a history over E and Q. If T = <t,>,- yis a skeletal sequence 
that spans X, then the restriction of Step, to T is a history skeleton that spans X. 


Proof - Let f denote the restriction of Step, to T, and suppose that f(t,) = <q,,6,,/,>. lff 
is a history skeleton, then f spans X by definition. To see that f is a history skeleton, we 
must show that r, = q,,, for allk € N. Fix k € . By definition of a state function, we 
can select e > O such that State, is constant on the interval (t,, t,+e]. Then r, = 
State, (t, +e). Since State, is constant on the interval (t,, t, ,,] by the fact that 7 is a 
skeletal sequence of X, it follows thatr, = q,,,. § 


-52- 


The following consequence of Lemma 3.3 and Lemma 3.6 says that every state 
appearing in a computation is reachable. 


Corollary 3.7 - Suppose X is a computation for a machine M. Then State,(t) is 
reachable for M, for all t € [0, 00). 


Proof - Use Lemma 3.3 to obtain a skeletal sequence T = <t,>,- that spans X. By 
Lemma 3.6, the restriction of Step, to T is a history skeleton that spans X. The result 
follows by an inductive proof that the constant value of State, on each set {tp}, (t,, t], 
(t.» t,), .. is reachable for M. The details are straightforward, and are omitted. § 


3.4 State-Transition Specifications 


Definition - A state-transition specification S of interface E is a pair <M., V.>, where M, 
is a machine of interface E and V, is a set of computations of M,, which we call the set 
of valid computations. 


If S is a state-transition specification of interface £, then the set of behaviors that 
satisfy S is defined as follows: 
@(S) = {B € Beh(E): B € Obs(V,)} . 
It is clear from this definition that state-transition specifications are subset 
specifications. 


As. a concrete example of a state-transition specification, consider the 
specification for the synchronizer module. The interface for the synchronizer module is 
defined by: 

ESM = {A} U {try,, run,, rest,: p € Proc}. 
The state set Q® for the synchronizer module specification is defined by 

Qs = Th eproe {trying, running, resting, error}. 
Thus each element of the state set QS is a vector that tells, for each process p € Proc, 
what the synchronizer module thinks that process is currently doing. If q € QS and p € 
Proc, then let q(p) denote the component of q corresponding to process p. If v € 
{trying, running, resting, error}, then let g[v/p] denote the state r € Q™ that is identical 
to q except that r(p) = v. 
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Next, we define the initial state set initS¥ and state-transition relation Trans®™ for 
the synchronizer specification. The initial state set Init™ consists of the single state q 
that assigns the value “resting” to each p € Proc. The state-transition relation Trans™ 
contains a step <q, e, - iff either e = X andq = r, or one of the conditions (try), (run), or 
(rest) below is satisfied for some p € Proc: 
(try) e= try, and either 
q(p) = resting and r = q[trying/p], or 
q(p) # resting and r = q[error/p]. | 


(run) e= run,, q(p) = trying, q(p ‘) # running for all p ‘ € Proc - {p}, 
andr = q[running/p]. 


(rest) oc rest, and either 
q(p) = running and r = q[resting/p], or 
q(p) # running and r = q[error/p]}. 


We have defined the machine MSM = <éS™, QS, InitSM, TransS™> for the 
synchronizer module specification. To complete the state-transition specification of the 
synchronizer module, we must define the set V™ of valid computations of MS“. The 
intuitive property we wish to capture by this definition is that the synchronizer must 
eventually grant all requests, if possible. The qualification "if possible" is required since 
if one user process remains in the "running" state forever, then it will be impossible for 
the synchronizer module to grant any further requests, without violating the mutual 
exclusion property. We can informally state the defining property of V™ as follows: "If, 
for all user processes p, every instant of time at which p is running is eventually followed 
by an instant of time at which p is not running, then, for all p, every instant of time at 
which p is trying is eventually followed by an instant of time at which p is running." 


The validity condition for the synchronizer module is relatively simple, but already 
the locutions used to precisely define this condition are somewhat awkward. To deal 
with more complex specifications, we require a more compact notation that can be 
systematically applied, as opposed to the ad hoc approach taken above. Such a 
notation is developed in the next chapter, where the constructs of temporal logic are 
used to express properties of histories. 


3.5 The Correctness Theorem 


In this section we consider the problem of how to prove the correctness of an 
implementation with respect to state-transition specifications. The fundamental result 
of this section is the Correctness Theorem. This theorem shows how the correctness of 
an implementation follows from certain properties of a composite machine, which is a 
kind of a kind of product of the machines for the component module specifications and 
the machine for the abstract module specification. Associated with this product 
construction are projection maps that take each computation for the composite 
machine to a corresponding computation for the abstract module machine and for each 
component module machine. 


The Correctness Theorem states that, for an implementation to be shown correct, 
it suffices to show that two conditions hoid for the composite machine. We call these 
conditions the "maximality" condition and the “validity” condition. The maximality 
condition concerns the relationship between the state-transition relations of the 
component module machines and the state-transition relation of the abstract module 
machine. The validity condition concerns the relationship between the set of valid 
computations for the component modules and the set of valid computations for the 
abstract module. 7 


If the inclusion of the machine from the abstract module specification as a part of 
the composite machine seems somewhat strange, consider the following analogy: In 
proofs of concurrent program correctness using Hoare-like deductive systems [Apts1, 
Owicki76], it is well known that it is sometimes necessary to introduce "ghost 
variables," which have no effect on the execution of the program, but merely serve to 
capture information about the state of program execution not reflected in the values of 
the program variables. The abstract module part of the composite machine serves the 
same function as ghost variables: namely to capture information about the history of 
system execution possibly not reflected in the states of the component module 
machines. 


The proof technique suggested by the Correctness Theorem seems closely related 
to the "data refinement proofs" of [Jones81]. Jones shows how the correctness of 
implementations of data abstractions can be performed via "representation relations," 
which relate the states of abstract data objects to states of their concrete 


representations. Representation relations capture the same information as the 
“implementation invariants" defined below, and the "possibilities mappings” of Lynch 
[Lynch83] and Goree [Goree81] (see Section 3.6). 


We now define precisely the notion of the composite machine for an 
implementation. Suppose <3, S abs’ <S>,¢_p is an implementation, where Sits = 


“Maps Vis? and S; = <M,, VD, for each i € /, are state-transition specifications. 


Definition - The composite machine M for the implementation <3, Sine and § > is 
defined as follows: 
E,, = 
Q, = Mane xX Me, Qu, 
Let 7,,, and 7, be the canonical projection maps from the cartesian product Q,, onto 
the factors Omens and Qu, for each i €/. 
Init,, = Inity X Me, init, 
Trans,, = {<q, e, > € Steps(E,,, Q,,): 
<a ats (9) a(e), 7.(7)> € Trans, and 
<a(q), fe), a{r)> € Trans, for alli €/}. 8 


Suppose that X € Hist(E,,, Q,,). Then associated with X is its canonical projection 
x's) onto Hist(E, .Q,, _), defined by 
abs abs 

Obs, (abs) = aeObs, 

State (abs) = w,,,°otate,. 
In a similar way, we associate with X its canonical projection x onto Hist(Ey. Qu): 
defined by 

Obs.) = §,°Obs, 

State, a /°State,. 


It is easily verified that the projections x‘*>5) and x defined above are, in fact, 
histories. Also, it is easily checked that if X is a computation of M, then X'@>5) is a 
computation of M,.., and X" is a computation of M,, for each i € J. 


Next, we state the conditions that are shown by the Correctness Theorem to be 
sufficient for <3, S..., S > to be correct. Intuitively, the maximality condition states that 
the abstract machine can perform any event that can be performed by the system of 
component module machines. The validity condition states that a computation that is 


valid for each of the component modules is also valid for the abstract module. 


Definition - The maximality condition holds for the implementation <3, S..., S > if for all 
States q reachable for the composite machine M, and alle € E, if &,(e) is enabled for M, in 
State 2(q) for each i € /, then a(e) is enabled for M,,, in state T ape(Q)- O 


Definition - An implementation invariant for the implementation <3, S,,., S > is a set Inv 
C Q,,, such that /nv is inductive for the composite machine M. 


Note that an implementation invariant is indeed invariant for M by the Induction 
Principle (Lemma 3.2). 


Since an implementation invariant contains all reachable states of the composite 
machine, it is sufficient to use "gq € Inv, where /nv is an implementation invariant,” in 
place of "q reachable for the composite machine," in proving that the maximality 
condition holds. 


Whenever X is a computation for the composite machine M with the property that x € 
V, for all i € i, then X@*) € Vas well. & 


We now come to the main technical lemma (Lemma 3.8 below) used to prove the 
Correctness Theorem. The intuitive content of this lemma is as follows: Suppose we are 
given a collection X of computations for the component module machines, which are 
"coherent" in the sense that there is a single observation x € Obs(E) such that each 
Obs, is the image of x under the mapping 6,. The vector X of computations can be 
thought of as a computation of the system of machines, obtained by juxtaposing the 
machines for the component module specifications, and "interconnecting" their events 
as specified by the decomposition map 6 . Lemma 3.8 asserts that, if the maximality 
condition holds, then it is possible to construct a computation X for the composite 
machine M, such that Obs, = x, and furthermore, such that the projections x of the 
computation X are the given original computations X, Since X‘>*) must be a 
computation of the abstract module machine (because every computation of M projects 
to a computation of M,,.,), it follows that every coherent collection X of computations for 
the component module machines, "simulates" some computation of the abstract 
module machine. 
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Formally, suppose that X, is a computation of M, for each i € /. Given an 
observation x € Obs(£}, we say that the collection X is x-coherent if Obs, = 8(x) for 
each i € /. The point of this definition is that a vector X cannot be used to form a 
computation X of M unless the observations of each of the X, are in agreement. 


Lemma 3.8 - Let <5, S obs! Sic, net V abs”? and 
that S, = <M, V,>, for each i € / are state-transition specifications. Suppose that the 
maximality condition holds for <3, S,.,, S >. Suppose that x € Obs(E), and that X, is a 
computation of M, for each i € /, such that the collection X is x-coherent. Then there 
exists a computation X of the composite machine M such that Obs, = x, and such that 


X = X, for each i € 1. 


» be an implementation, where S... = <M 


Proof - By Corollary 3.4, there exists a skeletal sequence T = <t,>,¢y that spans each 
of the X.. We assume without loss of generality that 7 includes all points t for which x(t) 
# Xd. Lete, = x(t,) for each k. We will use the maximality condition to construct a 
sequence q,, q,, ... of elements of Q,, such that w{q,) = State, (t,) for all i € / and all k € 
vw, and such that <q,, @, 4,,,7 C Trans, for alik € W. Then ihe function i 7 
Steps(E,,, Q,,) that takes f, to <q,, €,, 9, ,,9 is a history skeleton for M. By Lemma 3.5 
there is a unique history X for M such that f spans X. It is easy to see that X is a 
computation of M with Obs, = x and X = X, for each i € I. 


The q, are constructed by induction on k. At the kth stage of the construction (k> 
0), we assume that q, has been constructed so that q, is reachable and »{q,) = 
State, (t,) for alli € . We construct q, ,, so that #{q, ,,) = State, (t, ,1) for alli € J and 
so that <q,, 6, 9,,49 € Trans,,. It follows by definition of reachability that q, |, is 
reachable. 


Basis: Let q, be an arbitrary element of {q € tnit,,: #(q) = State, (0) for all / € /}. Note 
i 
that this set is nonempty since it is a cartesian product of nonempty sets. Clearly q, € 
Inv and 2(q,) = State, (0) for all / € /. 
i 


Induction: Suppose, for some k € N, that q, has been defined so that q, € Inv and 7(q,) 
= State, (t,) for all i € 1. Since X, is a computation for M,, for each / € J, we know that 
5(e,) is enabled for M, in state 7(q,), for each ij € I. Since q, is reachable for M, the 
maximality condition implies that a(e,) is enabled for M,,. in state w.(q,). Hence 


{q € Q,,: <q,, €,,@> € Trans,, and {q) = State, (t, , 1) for all i € /} is nonempty. Letq, , , 
be an arbitrary element of this set. 8 


The Correctness Theorem is an easy consequence of the preceding lemma. 


Theorem 3.9 (Correctness Theorem) - If the maximality and validity conditions hold for 
an implementation, then the implementation is correct. 


Proof - Suppose <3, S,.., <S,>;-P is an implementation, where S,,, = <M,,., V,,.> and 
that S, = <M, v> for each ij € / are state-transition specifications. Suppose that the 
maximality and validity conditions hold. Let M be the composite machine. Suppose that 
x € Obs(E) is such that 5(x) € O(S) for alli € 1. By Lemma 3.1, it suffices to show that 
a(x) € O(S,,.). Since 5(x) € O(S,) for each / € /, we know that for each i € / there is a 
computation X, € V,, such that Obs, = 6{x). Since the collection X is x-coherent, by 
Lemma 3.8 there exists a computation X for the composite machine M, such that Obs, 
= x and such that X = X, for all i € /. Using the validity condition, we then conclude 
that x5) € Vv... It follows that a(x) = a(Obs,) € 0(S,,,,), as required. & 


3.6 Possibilities Mappings 


In this section we show that the Correctness Theorem is a natural generalization of 
the “possibilities mapping” proof technique proposed by Lynch [Lynch83] and Goree 
[Goree81]. 


Lynch and Goree define a possibilities mapping to be a function that assigns a set 
of abstract module machine states to each vector of states for the component module 
machines, in such a way that the initial state set and state-transition relation are 
preserved. The fact that each vector of component module states is mapped to a set of 
abstract states, rather than to a single abstract state, means that possibilities mappings 
are a generalization of the usual notions of simulation or machine homomorphism. 
Intuitively, the value of the simulation mapping on a vector of component states is the 
set of “possible” abstract states that correspond to the given component states -- 
hence the name "possibilities mapping." 


Lynch and Goree’s proof technique can be stated as follows: "If there exists a 
possibilities mapping for an implementation, then the implementation is correct." 
Interpreted in the framework of this thesis, Lynch and Goree's technique applies only to 


implementations that involve state-transition specifications <M, V> for which V = 
Comp(M). For such implementations, the validity condition required by the Correctness 
Theorem is vacuous. Theorem 3.10 below shows that the existence of a possibilities 
mapping is equivalent to the maximality condition required by the Correctness Theorem, 
and thus the Correctness Theorem includes Lynch and Goree’s proof technique as a 
special case. 


To define the notion of a possibilities mapping, suppose <J, S,,., <SPicP is an 
implementation. Suppose S.., = <Mii: Vang? and S, = <M, V>, for each i € /. Let M be 
the composite machine. 


Definition - A possibilities mapping for the implementation <3, S,,., <S>,-p is a function 
fi Tie, Qu, > HOw.) with the following properties: 
(1) Inity os C f(<q,>;¢,) whenever q, € Inity, for all i € 1. 
(2) For all q € Q,,, if 7,,.(4) € f(<a(q)>,¢,), then: 
(a) Whenever r € Q,, and e € E,, are such that <q, e, > € Trans,,, then w,,(r) 
€ f(<a{r)>,¢,). 
(b) For alle € E,,, if 5(e) is enabled in state #{q) for each i € /, then a(e) is 
enabled for M,,, in state ,(q). & 


Theorem 3.10 - Suppose that <3, S,,., <S>,<) is an implementation, where S,,. and S, 
for each i € / are state-transition specifications. Then the following are equivalent: 

(1) There exists a possibilities mapping for <3, S$ >. 

(2) The maximality condition holds for <3, S..., $ >. 
Proof - Suppose that Sips = “Mans: Vabs? and that S, = <M,, VD, foreachi€/. Let M be 
the composite machine for the implementation <3, S..., S>. 


(1) => (2): Suppose that f is a possibilities mapping for J, S,,, and S . Define 

Inv = {q € Quy? tapglG) € MX (9)>i¢)}- 
Condition (1) in the definition of a possibilities mapping implies that Init, C /av. 
Condition (2)(a) in the definition of a possibilities mapping implies that /nv is inductive, 
and hence by Lemma 3.2 contains all states reachable for M. The maximality condition 
now follows from condition (2)(b) in the definition of a possibilities mapping. 


(2) => (1): Conversely, suppose that the maximality condition holds. Define f: 11,-,Q, > 


Q,ps 2S follows: f(<q,>,-,) is the set of all q,,, € Q,,, Such that there exists a reachable 
ose q for M with wa) = 9,,, and a q; ter all i € |. We claim that f is a 
possibilities mapping. 


Condition (1) in the definition of a possibilities mapping holds, since given <q,>,-, € 


N¢, Init,,, then every q,,. € Init, re yields a state <q... <q),¢? that is in Init,, and hence 
a 


is SAchiAis for M. 


To show that condition (2) holds, suppose that q is a state of M such that a, (q) € 
f(<a{q)>,¢,). Then q is reachable for M by definition of f. To see that (2)(a) holds, note 
that if <q, e, m € Trans,,, then r is reachable by definition of reachability, and hence 
(r) € f(<a{r)>,¢)). The maximality condition implies that condition (2)(b) holds. & 


7 abs 


3.7 Rely-/Guarantee-Conditions 


In this section we will see how state-transition specifications whose sets of valid 
computations are defined by rely-/guarantee-conditions can be used to perform the 
validity part of a proof of correctness. The principle of rely /guarantcc conditions 
states that the set of valid computations V in a state-transition specification S = <M, V> 
should be defined in the form: "Rely implies Guar," where Rely expresses the properties 
that the module being specified relies on its environment to provide, and Guar 
expresses the properties that the module guarantees to provide in return. 


For the synchronizer module, we wish the validity conditions to capture the idea 
that every user’s request should eventually result in a response, if possible. The tricky 
part is the precise formulation of the "if possible" condition. Clearly if some user goes 
into the running state and remains in that state forever, then it will never be possibile to 
allow any other user in the trying state to go to the running state, without violating the 
mutual exclusion property. This condition can be stated in rely-/quarantee-condition 
form as follows: "If every user process obeys the requirement that, once in the running 
state, it will eventually leave the running state, then the synchronizer module guarantees 
that every user in the trying state will eventually leave the trying state (and hence 
advance to the running state.)" 


We have two results, Lemma 3.11 and Lemma 3.12 below, that describe 
techniques for using rely-/quarantee-condition specifications in proofs of correctness. 
In both of these techniques, we are required to prove: 
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(*) Each component module’s rely-condition is implied by the conjunction of the 
abstract module's rely-condition and the guarantee-conditions for some subset of the 
component modules. 

Although the exact form taken by condition (*) is different for the two techniques, a 
proof by either of the techniques is simplest when the rely- and guarantee-conditions for 
the component modules are chosen so that the truth of condition (*) is obvious. Thus, 
rely- and guarantee-conditions serve to "cut" the interdependence of modules on each 
other, analogously to the way in which a loop invariant cuts the dependence of one 
iteration of a loop on the previous iteration. This observation is strong motivation for the 
suggestion that module specifications ought not to be derived in isolation, but rather 
with a proof of correctness in mind in which those specifications are used. 


A correctness proof that makes use of Lemma 3.11 or Lemma 3.12 is rather 
different from one in which eventuality conditions (such as termination) are verified by 
the well-founded set techniques of [Floyd67, Keller76] and others. Proofs by the latter 
techniques tend to take the form of reasoning about the structure of a computation, 
whereas proofs by | emma 3.11 and Lemma 3.12 tend to be arguments based on the 
communication structure of the modules in the system. Experience gained from the 
examples presented in this thesis suggests that arguments based on communication 
structure are simpler and more natural. 


The use of rely- and guarantee-conditions has been proposed for safety 
specifications in [Jones83]. Independently of this thesis, Barringer and Kuiper 
[Barringer83] have proposed the use of liveness specifications that are partitioned into 
an "environment part," which captures assumptions made about the environment, and 
a “component part,” which captures commitments made by the module being specified. 
Jones, as well as Barringer and Kuiper, exploit the rely-/guarantee-condition structure 
of specifications by defining inference rules for process composition that seem closely 
related to Lemma 3.11. Barringer and Kuiper’s environment/component division seems 
essentially the same as the rely/guarantee division used in this thesis, except that 
Barringer and Kuiper apply the environment/component division to state-transition 
properties, as well as liveness properties. 


Misra and Chandy [Misra81] have also used a kind of rely/guarantee distinction to 
develop proof techniques for safety properties. In that paper, a process h is specified by 
an assertion of the form r|h|s, where r and s are predicates on finite sequences (called 
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traces) of communication events. Such an assertion is interpreted as: "The predicate s 
holds of the empty trace, and for all traces t that can be produced by process h, if r 
holds for all proper prefixes of t, then s holds for all prefixes (both proper and improper) 
of t. The predicates r and s can be thought of as roughly analogous to rely- and 
guarantee-conditions, respectively, although the former are properties of finite prefixes 
of traces rather than properties of infinite computations. Misra and Chandy’s proof 
technique is a "Theorem of Hierarchy," which gives conditions under which 
specifications of a collection of components can be used to infer a specification of the 
network formed by interconnecting the components. Their proof technique can be 
stated as follows: To show that the specification RO|H|SO for the network H is a 
consequence of the specifications rJhjs, (i € /) for the components, it suffices to show 
that: 

(1) S implies SO, 

(2) RO and S implies A, 
where R and S denote the conjunction of the r, and s,, respectively. These conditions 
are syntactically similar to the conditions (1) and (2) of Lemma 3.11, although their 
meaning is quite different. The proof of Misra and Chandy’s Theorem of Hierarchy is by 
induction on computation prefixes, whereas the proof of Lemma 3.11 is by structural 
induction using a well-founded dependency relation. 


In [Misra82], the techniques of [Misra81] are extended to encompass a weak form 
of liveness specification in which an additional predicate q is used to state conditions 
under which a process trace is guaranteed to be extended. The Theorem of Hierarchy 
is augmented with additional conditions to permit its application to these more general 
specifications. The additional conditions do not appear to relate in a simple way to any 
conditions used in this thesis. 


To state Lemma 3.11 and Lemma 3.12, the following notation is convenient: If R 
and G are subsets of a universe U, then define R ->,, G (read R implies G in U) to be the 
subset (U - R) U G of U. In applications of Lemma 3.11 and Lemma 3.12, the set U will 
be the set Comp(M) of computations of a machine M, and R and G will be the sets of 
computations of M that satisfy rely-conditions and guarantee-conditions, respectively. 


Lemma 3.11 below says that to prove that the validity condition holds, it suffices to 
prove: 
(1) The abstract module’s guarantee condition is implied by the conjunction of 


the guarantee conditions for the component modules. 

(2) There exists a well-founded partial ordering (a "depends on" relation) of 
the component modules in the system, such that each component module’s 
rely-condition is implied by the conjunction of the abstract module’s rely-condition and 
the guarantee-conditions for the modules on which the component depends. 


Lemma 3.11 - (Rely/Guarantee Technique |) - Suppose U is a set and that R,.., G..., 
and R,, G, for each i € / are subsets of U. Suppose V,.. = Aig 7y Gap, and V, = 
R, y G, for each i € 1. Suppose 
(1) Mes GS Gane 
(2) There exists a well-founded partial order < on / such that for all i € /, 
Raps A (Ne; G) Cc R;. 


Then Nic, VS Vang: 


Proof - Suppose X € Raps M (Nie, V,). Suppose further, to obtain a contradiction, that X 
€ Gia. Then by hypothesis (1) we know that X ¢€ G,, for some i, € /. 


Since X € G and since X € Vi by assumption, it must be the case that X € A By 
hypothesis (2) and the assumption that X € R,.., there exists i, < ij, such that X ¢ G,- 
Repeating this argument yields an infinite descending sequence i, > i, > .., in 
contradiction with the well-foundedness of <. § 


An example of the use of Lemma 3.11 can be found in the proof of correctness of 
the transmission module implementation in Appendix Il. 


The existence of the "depends on" relation required to satisfy hypothesis (2) of 
Lemma 3.11 is a rather stringent condition. in some cases, for example the 
synchronizer implementation, all of the component modules in the system are 
symmetric in their relationship to each other, and it is hard to see how a suitable 
dependency relation might be found. Lemma 3.12 below shows that an alternative 
“acyCclicity" condition can be used, in case the component module rely- and 
guarantee-conditions can be factored in a certain way. Specifically, Lemma 3.12 
assumes that the rely-condition for module i can be expressed as the conjunction of 
what module j relies on the external environment and on each component module j to 
provide, and that the guarantee-condition for module i can be expressed as the 
conjunction of what module / guarantees to the external environment and to each 


component module j. 


In Lemma 3.12 below, one should think of Ai, Gi. as the rely- and 
guarantee-conditions for the abstract module, and of R, G, as the rely- and 
guarantee-conditions for component module i. The hypotheses of Lemma 3.12 require 
us to find {RG, phiel+ {abs}}. (RG stands for "rely/guarantee.") Intuitively, if i, / € /, 
then RG, ; expresses what module i guarantees to module /, and also what module j 
relies on module / to provide. RG... ; expresses what the external environment of the 
entire system guarantees to component module j, and also what module j relies on the 
external environment to provide. RG, abs expresses what component module i 
guarantees to the external environment, and also what the external environment relies 
on module / to provide. 


Condition (1)(a) and (1)(b) in Lemma 3.12 state, intuitively, that the abstract 
module’s rely-condition implies what each of the component modules rely on the 
external environment to provide, and that the abstract module's guarantee condition is 
implied by the conjunction of what each of the component modules guarantees to 
provide to the external environment. Condition (2)(a) states that each component 
module’s rely-condition is implied by the conjunction of what that component relies on 
the external environment to provide and on what that component relies on the 
component modules in the system to provide. Condition (2)(b) states that the 
guarantee-condition for component module / implies what module j guarantees to the 
external environment and what module / guarantees to each of the component modules 
in the system. Condition (3) in Lemma 3.12 is an acyclicity condition, which states that 
there can be no unbroken cyclic dependency between component modules. 


If / is a set, then define a cycle of | to be a nonempty subset of / x / of the form: 
{igs 19s Sys ig>s +s gy i>}, Such that i, = i. 


Lemma 3.12 (Rely/Guarantee Technique !I) - Let / be a finite index set. Suppose that 
U is a set and that F,,.., G,.,, and R;, G, for each i € / are subsets of U. Suppose V,,, = 
Ras uy Gaps 20d V, = R, +, G,, for each i € J. If there exists, for each i,j € 1 + {abs}, a 
set RG, C U such that (1)-(3) below hold, then Mie, V; E Vang: 
(1)(8) Rags © Mey RG gig 
(b) “Ne RG as c Gare: 


(2)€) Mer tan) 2G, © AF, for all j € 1. 


(6) GC vers {abs} RG,» for alli € I. 
(3) Whenever (<i, i,>, </,, i9>, -»» S,_4:/,>) is a cycle of /, then 
U = UN RG, , 
kk 


k=0 +1 


Proof - Suppose (1)-(3). Suppose further, to obtain a contradiction, that there exists X 
EUNR,,. M (Nic, V) such that X € GG... We perform an inductive construction to 
obtain a cycle {Sigs ing 12s 1 Sig ip} Of I such that X € UP7, RG, This 
contradicts hypothesis (3). 


As the induction hypothesis at stage k of the construction, we assume that 
iyi) +. si, have been constructed so that X €R, , and that X ¢ UIT’ RG, i 
k + 


Basis: From (1)(a) and the assumption that X € Raps’ We know that X € RG,,.. J for all €/. 
Since X € G,,,, by (1)(b) we know that X € RG, abs for some i, € /. By (2)(b) we know 
that X € G,. and from the assumption that X € vi we conclude X ¢ R, 


Induction: Assume the induction hypothesis holds for some k > 1. By (2)(a) we know 
that X @ See for some i, ,,€/. Iti, ,, = i,, for some m with 1 < m <k, then we have 
obtained the desired cycle and the construction terminates. Otherwise, by (2)(b) we 
know that X € Gy and from the assumption that x € se we conclude that X € 


Re ; This establishes the induction hypothesis for k + 1. 
, : 


Since the set / is finite by hypothesis, we cannot extend the sequence /,, /,, ... , /, 
indefinitely without creating a cycle. & 


Examples of the use of Lemma 3.12 can be found in the proof of correctness of the 
synchronizer implementation in Chapter 4, and in the proof of correctness of the 
resource manager implementation in Appendix II. 


4. The Synchronizer Implementation 


In this chapter, the theory developed in Chapter 3 is applied to obtain complete 
specifications and a proof of correctness for the synchronizer example. in Section 4.1 
we review the synchronizer module specification which has already been developed. It 
is shown how the set of valid computations for this specification can be given a concise 
definition using the language of temporal logic. In Section 4.2, the synchronizer 
component module specification is presented. In Section 4.3, the definition of the 
synchronizer module implementation is reviewed. In Section 4.4, the Correctness 
Theorem is used to prove the correctness of the synchronizer implementation. 


4.1 Notation 


This section introduces the notation we will use to express state-transition 
specifications, and in particular, the temporal logic notation we use to define the sets of 
valid computations. We use this notation in this chapter in a highly informal fashion, 
and do not concern ourselves with precise syntax and semantics. The reader who is 
interested in a careful treatment of the notation we use is referred to Appendix I. 


To define a state-transition specification S, we first define the interface E. and 
State set Q, of the machine M,. As discussed in detail in Appendix !, we regard these 
two sets as two distinguished sorts Events and States in a many-sorted algebra A,. We 
associate a first-order language £(S) with the algebra A, in the usual way. The 
language L(S) is used to define the initial state set Init, and the state-transition relation 
Trans, of the machine M,. In this chapter, we often use constructions that are not part 
of a first-order language. Appendix | shows how the use of these constructions can be 
justified. 

From the first-order language 2(S), we obtain a temporal language 3(S) by 
augmenting L(S) with the temporal operators 0 (read “henceforth") and © (read 
“eventually"), which are applied to formulas to obtain new formulas. In addition, three 
new atomic terms are added to the language: Now and After, which behave 
syntactically like constant symbols of sort States, and Occurs, which behaves like a 
constant symbol of sort Events. The meanings of the symbols Now, Occurs, and After 
depend upon the particular instant of time under consideration, and thus are altered by 
the action of temporal operators 0 and ¢ in a way that is detailed below. Intuitively, if 
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the particular instant of time under consideration is t, then Occurs denotes the event 
that occurs at time t, Now denotes the state at time t, and After denotes the state "just 
after" time ¢. 


The semantics of the temporal language associated with a specification S = 
<M, V> are captured by the binary relation (read "satisfies"), which tells when a 
formula of the temporal language is satisfied by a particular history over E,, and Q,,. To 
assert that the history X satisfies a particular temporal formula », we write X — g. 
Satisfaction is defined informally as follows: If g is a formula that contains no 
occurrences of temporal operators, then X F @ iff @ holds in the usual sense of 
first-order logic, with the symbols Now, Occurs, and After interpreted as State,(0), 
Obs, (0), and State,(0*), respectively. If » is a formula of the form Dy, then X & q iff 
Suffix,(X)  ¥ for allt € [O, 00). If is of the form Oy, then X F q iff suffix, (X) = for 
some t € [0, 0). Note that the semantics we use are essentially the “linear time" 
semantics of [Lamport80], and hence the © operator is equivalent to the compound 
operator “O07. 


We Say that a formula is a consequence of a set of formulas ¥, written ¥ F 9, if 
X — op whenever X & ¥y for all ¥ € ¥. A formula g is valid, written & 9, if it is a 
consequence of the null set of formulas. 


The temporal language 9(S) of a specification S = <M,, V,> contains an important 
sentence to which we shall refer extensively. This is the sentence 
Comp, = Init,(Now) A OTrans,(Now, Occurs, After). 
Intuitively, X F Comp, iff X is a computation for the machine Mg. 


4.2 Specification of the Synchronizer Module 


In this section, we review the state-transition specification SS&4¥ = <M@5M, YY) of 
the synchronizer module, which has already been developed in Chapter 3. 


Let Proc be a finite set of user processes. 
interface: 


EM = {A} U {try,, run,, rest,: p € Proc}. 
In anticipation of Chapter 5, we classify each event in the synchronizer module interface 
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as either an input event, an output event, or both (the null event A is the only event that 
is both an input and an output event). 

Ins = {A} U {try,, rest,: p € Proc} 

Out™ = {A} U {run,: p € Proc}. 
Although our theoretical framework so far draws no formal distinction between input 
and output, in Chapter 5 such a distinction is introduced to obtain a useful test for 
consistency of liveness specifications. Input events should be thought of intuitively as 
stimuli that are applied to a module by its environment, and output events as responses 
applied by a module to its environment. A module does not have the capability of 
regulating the application of input stimuli to it. 


Machine: 


The state set for the synchronizer module machine is defined by 
Q™ = Meproc {trying, running, resting, error}. 
To ease later discussion, let us say that process p is resting (resp. trying, running, in 
error) in state q if q(p) = resting (resp. trying, running, error). 


The set of initial states for the synchronizer module machine is defined by 
Init = {q € Q™: g(p) = resting for all p € Proc}. 


A step <q, e, P is in the state-transition relation Trans™ for the synchronizer 
module machine iff either e = \ and q = r, or one of the conditions (try), (run), or (rest) 
below is satisfied for some p € Proc. 


A try event for process p can occur at any time. If process p was previously resting then 
it advances to the trying state, otherwise to the error state. The states of all other 
processes are unaffected. 
(try) e= try, and either 
q(p) = resting andr = q[trying/p], or 
q(p) # resting and r = qferror/p]}. 


A run event for process p can occur only if process p is trying, and no other processes 
are currently running. Process p advances to the running state, and the states of all 
other processes are unaffected. 
(run) e = run, q(p) = trying, q(p ') # running for all p ' € Proc - {p}, 
andr = q[running/p]. 
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A rest event for process p can occur at any time. If process p was previously running, 
then it advances to the resting state, otherwise to the error state. The states of all other 
processes are unaffected. 
(rest) e= rest, and either 
q(p) = running andr = q[resting/p], or 
q(p) # running and r = q[error/p]. 


Validity Conditions: 


We wish the validity condition for the synchronizer module to capture the idea that 
every user's request should eventually result in a response, if possible. This condition 
can be stated in the rely-/quarantee-condition form as follows: “If every user process 
obeys the requirement that, once in the running state, it will eventually leave the running 
state, then the synchronizer module guarantees that every user in the trying state will 
eventually leave the trying state (and hence advance to the running state)." We can 
express this condition concisely as a temporal sentence. 
ValidS™ = RelyS - GuarS” 

where , 
Rely™ = O(vVp€Proc)(Now(p) = running ~ ©(Now(p) # running)) 
Guar = O(vp€Proc)(Now(p) = trying - O(Now(p) # trying)). 


4.3 Specification of the Synchronizer Component Module 


A synchronizer component module communicates with an associated user 
process via the try, run, and rest events, with its neighboring synchronizer component 
module in the clockwise direction via token_out and request_in events, and with its 
neighboring synchronizer component module in the counterclockwise direction via 
token_in and request_out events. The conceptual state of the module contains a count 
of the number of tokens the module possesses, plus information concerning the state of 
the associated user process. The synchronizer component module can allow the user 
process to enter the running state only if it possesses a token, and must retain a token 
throughout the entire period during which the user is in the running state. We would 
like the synchronizer component module to be "fair" in the sense it eventually grants 
each user request, if possible, and eventually responds to each request for the token by 
its clockwise neighbor in the ring, if possible. 
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The specification of the synchronizer component module is parameterized by the 
number of tokens it possesses in the initial state. Thus the specification presented 
below actually is a specification schema that represents a family {SC,: k € N} of related 
specifications, where SC, is the specification for the synchronizer component module 
with k tokens in the initial state. The only place the initial number of tokens appears in 
the specification is in the definition of the initial state set. 


Interface: 


The first task in the construction of the synchronizer component module 
specification is the description of its interface. 
ESC = {), try, run, rest, token_in, token_out, request_in, request_out}. 
The sets of input and output events are defined by: 
ins Ss = A, try, rest, token_in, request_in} 
Out == {), run, token_out, request_out}. 


Machine: 


A state for the synchronizer component module contains a "token" component, 
whose value represents the number of tokens the module possesses, and a "ustate" 
component, which tells what state the synchronizer component module thinks the user 
process is in. 

Q®° = token: NX ustate: {trying, running, resting, error}. 
The "tags" token and ustate are used as selectors; if q € Q™, then q(token) denotes the 
token component of q and q(ustate) denotes the ustate component. 


In an initial state the synchronizer component module SC, has k tokens and the 
user process is resting. 
initS%, = {q € Q®: g(token) = k A q(ustate) = resting}. 


A step <q, e, © is in the state-transition relation Trans™ for the synchronizer 
component module machine iff either e = X and q = r, or one of the conditions (try), 
(run), or (rest), (token_in), (token_out), (request_in), (request_out) below is satisfied: 


A try event can occur at ahy time. !f the user process was previously resting, then it 
advances to the trying state, otherwise to the error state. . 
(try) e = try and either 
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q(ustate) = resting and r = q[trying/ustate], or 
q(ustate) # resting and r = q[error/ustate]. 


Arun event can occur only if the user process is trying and the synchronizer component 
modute currently possesses a token. The user process advances to the running state. 
(run) e = run, q(ustate) = trying, g(token) # 0, andr = g[running/ustate]. 


A rest event can occur at any time. If the user process was previously running, then it 
advances to the trying state, otherwise to the error state. 
(rest) e = rest and either 
q(ustate) = running and r = g[resting/ustate], or 
q(ustate) * running and r = q[error/ustate]. 


A token_in event can occur at any time, and causes the number of tokens possessed by 
the synchronizer component module to be increased by one. 
(token_in) e = token_in and r = q[q(token) + 1/token] 


A token_out event can occur only if the user process is currently not running, and the 
synchronizer component module possesses at least one token. The number of tokens 
possessed is decremented. . 
(token_out) @ = token_out, q(ustate) # running, q(token) # 0, and 
r = q[q(token)-1/token] 


A request_in event can occur at any time, and has no direct effect on the state. The way 
in which a request_in event induces the synchronizer component module to eventually 
respond with a token_out event is captured by the validity conditions. 

(request_in) e = request_in andr = q 


A request_out event can occur only if the synchronizer component module currently 
does not possess a token. Occurrence of such an event has no effect on the state. 
(request_out) e = request_out, q(token) = 0, andr = q 


Validity Conditions: 
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We would like the synchronizer component module validity conditions to capture 
the following two ideas: 
(1) A synchronizer component module always eventually satisfies a user’s 
request, if possible. 
(2) A synchronizer component module always responds to requests for the 
token issued by its clockwise neighbor, if possible. 
We can state this in rely-/quarantee-condition form as follows: If all requests issued by 
the synchronizer component module to its counterclockwise neighbor are eventually 
granted, and the user process never remains forever in the running state, then al! user 
requests and all requests for the token from the clockwise neighbor, will eventually be 
granted. Formally, 
ValidS° = RelyS¢ - GuarS¢, 
where 
RelyS° = O(Now(ustate) = running + ©(Now(ustate) # running)) A 
O(Occurs = request_out > (Now(token) # 0)) 
Guar*° = O(Now(ustate) = trying ~ ©(Now(ustate) # trying)) A 
OC(Occurs = request_in ~ (Occurs = token_out)) 


4.3.1 The Synchronizer Implementation 
/ 


To be able to describe and reason about the synchronizer implementation we must 
formalize the idea that the set Proc is a “ring-structured set of processes with a 
distinguished process." We assume that the set Proc is the set of integers modulo N for 
some N, and that zero is a distinguished process, which will be the process that initially 
possesses the token. 


We first define the synchronizer interconnection 
SM _ ¢fSMi SMI ¢pSMi 
39M! = ESM, SM <g5Mly >. 

The abstract interface D™' is the synchronizer module interface E, and the pth 


component interface aa is the synchronizer component module interface E*. 


The composite interface for the synchronizer module implementation is defined 
by: 
ESM = {A} + {try,, run,, rest,, token,, request,: p € Proc}. 
InSMI = {A} + {try,, rest,: p € Proc} 
Out™! = {\} + {run,, token, request,: p € Proc}. 
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The try, run, and rest, events in the composite interface correspond under the 
decomposition map to try, run, and rest events for synchronizer component module p, 
and under the abstraction map to try, run, and rest, events for the synchronizer 
module. A token, event represents the transmission of a token from synchronizer 
component module p to synchronizer component module p+1 (i.e. in the clockwise 
direction around the ring), and a "request" event represents the transmission of a 
request from synchronizer component module p to synchronizer component module 
p-1 (i.e. in the counterclockwise direction). We capture this information formally by 
defining the abstraction map a“! and decomposition map § ™'. 

aM(e) = e, if e € {try,, run, rest,: p € Proc}, 
=i, ife € {token,, request: p € Proc} U {A}. 


bSMi(e) = try, ife = try, 
= run, ife = run, 
= rest, ife = rest, 
= token_in, ife = token, , 
= loken_oul, ife = token, 
= request_in, ife = request, , ; 
= request_out, ife = request, 
=i, otherwise. 


To complete the description of the synchronizer implementation <3", SSM’, s Mb, 
we must define the specifications SS! and SM! for each p € Proc. The specification 
SSM is the synchronizer module specification SS“. The specification S™' is the 
specification S$5°1 of the synchronizer component module with one initial token, and for 
all p € Proc - {zero}, S™ is the specification S®“o of the synchronizer component 
module with no initial tokens. 


4.4 Correctness of the Synchronizer Implementation 


In this section, we use the techniques of Chapter 3 to show the correctness of the 
synchronizer implementation. Most of the proof consists of straightforward case 
analyses. The interesting content of the proof is contained in the use of Lemma 3.12 to 
prove that the validity condition holds. 
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4.4.1 Implementation Invariant 


To prove the correctness of the synchronizer module implementation, we first 
need to find an implementation invariant that provides enough information about the 
reachable states of the composite machine so that we can prove the maximality 
condition. The implementation invariant will also be useful in the proof that the validity 
condition holds, and so in this section we define an implementation invariant that is 
strong enough for both the maximality and validity proofs. 


For a set Inv to be an implementation invariant for an implementation means that it 
is inductive for the composite machine for the implementation. Formally, if M is the 
composite machine and E the composite interface, we must show: 

(Basis) (VqEQ,)(q € Init, > q € Inv)) . 
(Induction) (Vq,r€Q,,, 6 € E)(<q, e, > € Trans,, > (q € Inv r € Inv)). 


It is generally convenient to define an implementation invariant Inv by a predicate 
Inv(q) = Rep(q) A Abs(q), 

where Asp is called the representation invariant and Abs is called the absiraciion 
relation. A representation invariant describes a relationship that must hold at all times 
between the states of component modules in an implementation. Representation 
invariants serve roughly the same purpose here as what is called the "data type 
invariant" in the literature on abstract data types [e.g. Jones81, Jones83]. An 
abstraction relation describes the correspondence between the states of the 
component modules and the state of the abstract module. The abstraction relation 
plays the same role here as the "retrieve functions" of [Jones81], and the 
“representation functions" of [Hoare72]. 


The implementation invariant Inv™' for the synchronizer implementation is defined 

as follows: 
InvSM\(q) = RepS'(q) - Abs“\(q), 

The abstraction relation Abs™' holds of state q iff in state g, the abstract synchronizer 
module’s view of the state of the pth user process is identical to the pth synchronizer 
component module's view, for each p in Proc. Stated another way, the abstract 
synchronizer module state corresponding to a given collection of synchronizer 
component module states is obtained by throwing away all information, except for the 
ustate component, in the states of the component modules. Formally, 
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Abs®“(q) = Aveproc(Fans(?) = 9,(ustate)), 
where we have used the notations q,,,, 9, as abbreviations for m,..(q), 7,(Q), 
respectively. 


The representation invariant Rep™' is defined by: 
Rep®™\(q) = Mutex(q) A Token(q). 
Mutex(q) states that if a user process is in the running state, then the corresponding 
synchronizer component module must possess a token. Formally, 
Mutex(q) = A p€Proc(7,(ustate) = running > gq, (token) # 0). 
Token(q) asserts that the total number of tokens in the system at any time is precisely 
one. 


Token(q) = = (token) = 1. 


‘pEProc Ps 


The proof that InvS“"(q) is in fact an implementation invariant for the synchronizer 
implementation is a straightforward induction. 


Basis: It follows directly from the initial state sets that if Init®“"(q) holds, then 


Taps(P) = resting for all p € Proc 
Gero |= “token: 1, ustate: resting> 
I = <token: 0, ustate: resting> for all p € Proc—{zero}. 


It is easily checked that these three conditions imply that Abs®™(q), Mutex(q), and 
Token(q) all hold. We conclude that InvS“"'(q) holds for all q € initS', as required. 


Induction: We must show that for all <q, e, > € Trans®™', if InvS'(q) holds then InvS'(r) 
does, too. Suppose that <q, e, > € Trans™! and Inv™"'(q) holds. 


First of all, note that if e = A, then gq = r and hence Inv™(r) follows trivially from 
invSM'(q), We therefore assume in what follows that e # A. We consider separately the 
proofs of Abs®'(r), Mutex(r), and Token(r). 


To prove that Abs®™'(r) holds, there are two cases: (1) e € {token > Fequest,: p € 
Proc}; and (2) e € {try,, run, Fest,: p € Proc}. Case (1) is disposed of quickly by noting 
that ife = token, ore = request, for some p € Proc, then r,..(p') = Gaps(P ') and 
r,dustate) = q, (ustate) for all p’ € Proc. Thus in this case Abs™(r) follows directly 
from Abs*(q). Case (2) is handled by a straightforward enumeration of the cases: e = 
try, e = run,,e = rest, and verifying that in each case, the occurrence of e results in 
identical values for Taps(P ) and eA Austate), for each p ‘ € Proc. 
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We now consider the proof that Mutex(r) holds. Suppose not, then it must be the 
case that r(ustate) = running and r (token) = 0 for some p € Proc. By a case analysis 
on e it is straightforward to check that the only way this can happen is if either q,(ustate) 
= running and e = token, or q,(token) = Oande = run,. Examination of the 
specification of the synchronizer component module shows that it is impossible for a 
token, event to occur if q,(ustate) = running, and also for a run, event to occur if 
q, (token) = 0. 


Finally, we wish to show that Token(r) holds. A case analysis on e shows that the 
only events that affect the number of tokens in the system are those of the form token ; 
for some p € Proc. Examination of the specifications shows that, when such an event 
occurs, r,(token) = q, (token) -1, Ty 4 s(token) = 9, 4 s(token) + 1, and ly {token) = 
W (token) for all p‘ € Proc ~ {p, p+ 1}. Thus Zo ‘eProe “p (token) = z, €Proc Ip (token), 
and hence Token(r) holds. 


4.4.2 Proof of Maximality 


We must show that for all q € Q&! and e € E™, if inv8“\(q) holds and 65“(e) is 
enabled in state I for all p € Proc, then a®“"(e) is enabled in state Tabs 


Suppose Inv®“(q) holds and that 5SMi(e) is enabled in state q, for all p € Proc. 
There are two cases: (1) e = run, for some p € Proc; and (2) e is not of this form. 
Examination of the synchronizer module specifications shows that case (2) is trivial, 
since a(e) is enabled in any state unless e = run, for some p € Proc. 


Now consider case (1). Since 5SM\(e) is enabled in state qp from the synchronizer 

component module specification we know that 

(A) q,(ustate) = trying and q, (token) #0. 
The assumption that Inv“'(q) holds implies that Token(q), Mutex(q), and Abs®"(q) all 
hold. From (A) and Abs®™(q) we infer that q,,,(0) = trying. From (A) and Token(q) we 
know that q, (token) = 0 for all p’ € Proc-{p}. From this and Mutex(q) we infer that 
q, (ustate) # running for all p' € Proc-{p}. From this and Abs®™™"(q), we conclude that 
Gapg(P ') # running for all p' € Proc-{p}. We have shown that 

(B) Gays?) = trying A (A, cproc-to} Tabs?) # running). 
holds. Examination of the synchronizer module specifications shows that (B) implies 
that a“'(e) is enabled in state q,,,, as desired. 


4.4.3 Proof of Validity 


To express the proof that the validity condition holds for the synchronizer 
implementation, we associate a temporal language 3(S*“') with the composite 
specification SSM! = <M5S™! ySMl in the same way as temporal languages were 
associated with the synchronizer module and synchronizer component module 
specifications. In addition, we must have some way of taking the temporal sentences, 
each expressed in its own temporal language, that define the sets of valid computations 
for the synchronizer module and synchronizer component module specifications, and 
“lifting” them to the common language 3(S*“'), This can be accomplished by a simple 
syntactic translation, which we now define. . 


To each formula » of 3(SS¥) we associate a corresponding "lifted" version [¢] is 
of 3(SS™'), by replacing each occurrence of the symbol Now by the term Now,,., each 
occurrence of After by the term After,,., and each occurrence of Occurs by the term 
a°(Occurs). Similarly, to each formula @ of 3(SS°) and each p € Proc, we associate a 
corresponding formula (rl, € (SSM), by replacing each occurrence of Now by Now,, 
each occurrence of After by After,, and each occurrence of Occurs by 8©“(Occurs). 


The precise relationship between a formula and its lifted version is captured by 
Lemma 1.2 in Appendix |. Informally, if p € 9(S®), then a history X for the composite 
machine M™' satisfies the formula [[]},,, € IA) iff the canonical projection x") of x 
satisfies the formula gy. Similarly, if p € 9{S°°), then a history X for M™' satisfies (ol, iff 
X satisfies g. An analogous result is stated in [Wolper82], where the process of 
"lifting" specifications of individual processes to obtain specifications of a system of 
processes is called "relativization." 


In the proof that the validity condition holds for the synchronizer implementation, 
we must have some way of making use of the information contained in the 
state-transition relation of the composite machine. We do this by using the 
implementation invariant according to the following rule of inference: If Inv has been 
shown to be invariant, then 

Comp F& Dinv(Now) 
holds. This rule, whose validity follows from Corollary 3.7, will be used extensively in our 
correctness proofs. 
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To show that the validity condition holds for the synchronizer implementation, we 
must show that: 
Comp! = A. cpro¢ [ValidS°],, + [Valid]... 
In light of Lemma 3.12 it suffices to find, for each i, j € Proc + {abs}, a temporal 
sentence RG, such that conditions (SMI1)-(SMI3) below hold. 


(SMI1)(a) Comp™! & [RelySM].. Aicproc RG abs, 
(SMI1)(b) Comp™  Aicproc RG, ans > [Guar]... 
(SMI2)(a) Comp"! F Aicoroc (Aicproc + {aby RG,, > [Rety$]}) 
(SMI2)(b) Comp!  Ajcp.o, ([Guars“], > A ieproc + {abs} RG) 


(SMI3) Whenever {<i Bs Sigs igs oes Ieige i>) is a cycle of Proc, then 

Comp™! f= VE RG, ae 

The sentences RG, j express what is relied/guaranteed between each pair of 

synchronizer component modules or between a synchronizer component module and 
the external environment of the entire system. The synchronizer component module 
specifications have been chosen in such a way that the sentences RG, , can be obtained 
simply by "lifting" the synchronizer component module rely-/guarantee-conditions to 
the temporal language of the composite machine. The formal definitions are as follows: 
For all i, € Proc, j , 

RG, abs = O(Now((ustate) = trying - O(Now(ustate) # trying)) 

RG,.. i= O(Now (ustate) = running (Now (ustate) # running)) 
For all i € Proc, 

RG,_,, = O(6™(Occurs) = request_out -+ (Now(token) # 0)) 
For all i,j € Proc such that i+ 1 # j, 

RG, j = true 


Next, we verify (SMI1)-(SMI3). Assume Comp™' throughout the remainder of the 
proof. The interesting intuitive content of the validity proof is contained in the proof that 
(SMI3) holds. The remaining cases are practically automatic. 


Intuitively, hypothesis (SMI1)(a) says that the abstract module rely condition 
implies what each component module relies on the external environment to provide. 
Hypothesis (SMI1)(b) says that the conjunction of what each component module 
guarantees to the external environment implies the abstract module 
guarantee-condition. Formally, we must show: 


(SMI1)(a) [RelyS“] abs ” Npeproc RGans.p 

(SMI1)(b) Ap eproc RG, abs > [Guar]... 
We show (SMI1)(a), condition (SMI2)(b) is equally straightforward. From the 
synchronizer module specifications, we know that 

[Rely™) .. = DA ccproc(NOW,,,(P) = running -> O(Now,,,(p) # running)) 
Suppose that [Rely“],, holds. By the invariance of the abstraction relation Abs®™', we 
infer 

DA .cProc(Now, (ustate) = running > ©(Now, (ustate) # running)). 
Interchanging the 0 and conjunction yields 

N peProc RG 
as desired. 


abs,p’ 


Intuitively, hypothesis (SMI2)(a) says that each component module’s rely-condition 
is implied by the conjunction of what is guaranteed to it by the external environment and 
by each other component module. Hypothesis (SMI2)(b) says that each component 
module’s guarantee-condition implies what the external environment and each other 
component module rely on it to provide. Formally, we must show: 

(SMI2)(8) Aigprocs fabs) RG) > [Rely$“,, for all p € Proc 

(SMI2)(b) [GuarS°], + Arcproe + fabs} RG,» for all p € Proc. 
To show condition (SMI2)(a) is completely straightforward. Let p € Proc be fixed. It 
suffices to show that RG,,,, ARG,_,, [RelySy >; By definition 

RG,.. p= C(Now (ustate) = running > (Now (ustate) ¥ running)) 

RG,_,, = O(8S“(Occurs) = request_out -+ O(Now, (token) # 0). 
The conjunction of these two sentences is easily seen to be equivalent to [Rely®] , bY 
inspection of the synchronizer component module specifications. 


To show (SMI2)(b) is not completely trivial because of the fact that what 
component module p guarantees to module p +1 is not exactly what module p + 1 relies 
on module p to provide. Specifically, module p guarantees always to eventually send 
the token in response to a request from module p + 1. However, module p +1 relies not 
on the eventual occurrence of a token_in event, but rather on the eventual setting of the 
token component of its state to a nonzero value. The nontrivial portion of the proof is to 
use the state-transition relation for module p +1 to show that occurrence of a token_in 
event for that module implies the eventual setting of the token component of its state to 
a nonzero value. 
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Formally, to prove (SMI2)(b) it suffices to show that [Guar], > RG, ans 
since RG, = /= true by definition unless j = abs orj = p+1. By definition 
RG, abs = O(Now , (ustate) = trying - ©(Now pustate) # trying)) 
RG, puiz= = O(85" ' (Occurs) = request_out > (Now, , ,(token) # 0)). 
By inspection of the synchronizer component module specifications, we have 

[GuarS>] » = O(Now, (ustate) = trying +» (Now, (ustate) # trying)) A 

O(5S“\(Occurs) = request_in —> ©(8"(Occurs) = token_out)). 

Assume [GuarS°] p Then RG, as follows immediately from the first conjunct of 
[GuarS°]. To show that the second conjunct of [GuarS°], implies RG, , , ,, note the 
definition of the state-transition relation for synchronizer component module p implies 


that 


RG, oat 


Ose" (Occurs) = = token_in > O(Now, , , # 0)). 
From the second conjunct of [GuarS“] using the definition of the decomposition map 
&™' we obtain 

os! (Occurs) = request_out —> ©(55M! (Occurs) = token_in)). 
Combining the preceding two sentences and applying temporal reasoning shows 


RG, 34: 


, as desired. 
The most interesting part of the proof is the proof that (SMI3) holds. To show 
(SMI3), we must show that 


Comp™! = vi! RG, 


k=1 J 

S k+l 
holds for every cycle {<i,, /,>, ... , <i,_4: 4,2} from Proc. The only nontrivial case is the 
cycle {<zero, zero+ 1>, cae 1, zero+2), ... , <zero+N—1, zero>} that traverses the 


entire ring in the clockwise direction, since every other cycle from Proc contains a link 
<i, > for which RG, j = true by definition. Suppose, to obtain a contradiction, that 
(SMI3) fails for this cycle. Then for all p € Proc, the sentence RG), a does not hold. 
This means that 

Apeproc O(8s(Occurs) = request_out A O(Now, (token) = 0)). 
That is, for each p € Proc, eventually a point is reached at which synchronizer 
component module p issues a request_out event, but never has the token after that 
point. This implies that 

ApeProc ©O(Now p(token) = Q). 
Since Proc is a finite set, it is valid to interchange the conjunction and © operator in the 
preceding formula, concluding that 


© NpeProc (Now , (token) = 0). 
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This asserts that there is some point after which no synchronizer component module 
ever possesses a token. This is a contradiction with the invariance of Token, which 


states that the total number of tokens in the system is always precisely one. 


5. Consistency of Specifications 


In Chapter 3 it is suggested that module specifications ought to be expressed in 
rely-/guarantee-condition form, and that the rely. and guarantee-conditions for the 
component modules in a system ought to be selected so that each component module 
guarantees precisely the conditions relied upon by its neighbors in the system. In 
Chapter 4 the synchronizer example illustrates how adherence to this principle can 
result in a simple proof of the validity condition required by the Correctness Theorem. 
In practice, there seems to be considerable flexibility in the choice of rely- and 
guarantee-conditions. Often significant simplifications in a correctness proof can be 
effected simply by adjusting the component module specifications. 


The apparent flexibility in the choice of rely- and guarantee-conditions in 
specifications raises the following somewhat disturbing question: What is to prevent us 
from writing component module specifications with extremely weak rely-conditions (e.g. 
true), and ridiculously strong guarantee-conditions (e.g. false), in order to simplify the 
proof of correctness? An implementation whose component module validity conditions 
are all of the form "true — false” makes the validity part of a correctness proof 
extremely simple, but also vacuous. We can also consider more subtle, but still 
problematic specifications in which a module "guarantees" the application of some 
input to it -- something that seems to contradict our intuitive notion of what it means to 
be an input. 


Since a specification of the form "true — false," or a specification that guarantees 
the application of input ought to be regarded as meaningless, we should have some way 
of distinguishing these specifications from others that are meaningful. The theory we 
have set up so far provides no formal criteria for making such a distinction. What we 
require is a suitable notion of consistency of specifications, with respect to which 
obviously unrealizable specifications such as "true — false" are inconsistent, and 
apparently reasonable specifications, such as the synchronizer component module 
specification, are consistent. 


In mathematical logic, a theory is consistent iff it has a model. Since the "models" 
of specifications are behaviors, it seems reasonable to define a specification to be 
consistent iff there is a behavior that satisfies it. If we take the term "behavior" in this 
definition to mean "arbitrary behavior," though, we do not obtain a stringent enough 
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notion of consistency. For example, every subset specification is consistent in this 
sense, since the empty behavior @ satisfies every subset specification. To obtain more 
stringent notions of consistency, we must restrict our interpretation of the term 
"behavior" to mean "realizable" or "computable" behavior. 


In this chapter, we examine a notion of consistency based on a model of 
concurrent computation called "!/O-systems." An I/O-system models a collection of 
concurrent processes that interact through coupled events. By viewing |/O-systems at 
various levels of abstraction we obtain the "1/O-behaviors," which we take as our Class 
of computable behaviors. A specification is defined to be "!I/O-consistent” iff there 
exists an 1/O-behavior that satisfies it. The notion of |/O-consistency seems to be quite 
useful for distinguishing between meaningful and meaningless eventuality 
specifications. We develop a technique for proving state-transition specifications to be 
1/O-consistent and apply this technique to show the 1!/O-consistency of the 
synchronizer component module specification. 


5.1 1/0-Systems 


This section defines a model of asynchronous concurrent computation called 
"!|/O-systems." An 1/O-system is a system of nondeterministic processes that interact 
through coupled events. The nonnull events in which each process can participate are 
partitioned into “input events" and "output events.” An input event for a process 
represents the stimulation of the process by its environment, and an output event for a 
process corresponds to the process responding to its environment. A process can 
choose whether or not it will produce output, but does not have the ability to control the 
application of input to itself. If a process wishes to produce output, then it cannot be 
prevented from doing so, although a process has no control over precisely when the 
output will be produced. . 


The coupling of the processes in an |!/O-system is described by a “system 
interface," the elements of which are "system events." Each system event is a vector 
with one component for each process in the system, and represents a possible 
simultaneous occurrence in the computation of the system. No system event contains 
more than one component output event, modeling the idea that at most one process can 
produce an output at any instant of time. 


To describe the execution of an I/O-system, it is helpful to imagine the existence 
of a “scheduler,” who controls the path of execution of the system. For each step of the 
system, the scheduler chooses a system event from the system interface. All processes 
then simultaneously take steps corresponding to the chosen system event. By the 
constraint that there is at most one output component of each system event, at most one 
process produces an output event in each step, and the other processes perform input 
steps or null steps. We are only interested in computations of an I/O-system that are 
"fair" in the sense that the scheduler selects each process to perform output steps 
often enough. 


We now give a formal definition of 1/O-systems. We first define the notion of an 
1/O-interface, which is an interface whose non-A events are partitioned into input events 
and output events. 


Definition - An //0-interface is an interface <E, A,, In, Out>, where In, C E is a set of 
input events and Out, C E is a set of output events, such that the sets In,, Out,, {A,} 
partition E. & 


We next define the "asynchronous product" of a collection of |/O-interfaces. 
Intuitively, the asynchronous product @,-, F, of the collection <F>,<, of |/O-interfaces 
represents the set of all possible simultaneous occurrénces in a system of processes 
where process / has interface F,. Each element of the asynchronous product interface is 
a vector of events from the component interfaces, such that at most one of the events in 
the vector is an output event. The fact that at most one event in each vector is an output 
event means that at most one process produces an output event at a time. This 
restriction is typical of asynchronous, interleaved execution models, and this is why the 
asynchronous product has been so named. 


Definition - The asynchronous product @i¢, F, of a collection <F>,-, of 1/O-interfaces is 
the interface F defined as follows: 


F = {f €11,,,F;: at most one f, is an output event} 
OF AP ie 
Ing = {f €F: { # A, and nof,is an output event} 


Out, = {f € F: exactly one f, is an output event}. 
The maps 1; @i¢,F, > F,, fori € J, that take a vector f to its th component, are called the 
canonical projections associated with @,¢,F,. ll 


In general, a system interface will not be the entire asynchronous product of the 
process interfaces, but rather only a sub-interface of the asynchronous product. The 
reason for using a sub-interface of the asynchronous product as the system interface is 
to capture possible coupling of events between processes. One kind of coupling that 
can be modeled in this way is the identification of events of distinct processes. For 
example, if the output event out for process one is to be identified with the input event in 
for process two, then we would include in the system interface the vector <out, ind, in 
which process one performs an out event at the same time as process two performs an 
in event, but we would exclude from the system interface the event <out, A>, in which 
process one performs an out event while process two does nothing, and the event <A, 
in>, in which process two performs an in event while process one does nothing. Other 
kinds of coupling can also be modeled. For example, if the input event in for process 
two always occurs along with an output event out for process one, but the event out for 
process one need not occur along with an in event for process two, then the system 
interface would include the events <out, in> and <out, A>, but would exclude the event 
<A, in>. 


Our only requirement on the system interface is that to each event of a component 
process there is some system event that contains the given event as a component. This 
requirement ensures that each observation over a process interface has a faithful 
representation as an observation over the system interface. 


Definition - An embedding of an |/O-interface E into an |/O-interface F is an injective 
translation y: E -» F such that y(In,) € In, and y(Out,) € Out,. 


(Recall that the fact y is a translation implies that y(A,) = A,.) 


Definition - A system interface for a collection <F>,., of 1/O-interfaces is an 
1/0-interface E C @,¢, F, such that 

(1) The inclusion map y: E @,¢,F, is an embedding. 

(2) Each map 2, ° y is onto F,, where <w#,>,,, are the canonical projections 
associated with @,,, F;. 
The collection of maps <a, ° Y¢, is called the canonical decomposition map associated 
with E. § 
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Each process in an |/O-system is represented by an “1/O-machine," which is a 
machine that cannot prevent the occurrence of input events. The 1/O-machines in an 
1/O-system are required to be "explicit" in the sense that each nonnull step results in 
the occurrence of some non-a step. This assumption is justified because we think of an 
1/O-system as being a detailed, low-level model, in which all steps taken by processes 
result in explicit observable events. Later we will apply abstraction maps to the 
behaviors of |/O-systems to obtain less detailed, higher-level views of system behavior, 
in which steps can be taken that do not result in observable events. 


Definition - An //O-machine of |/O-interface E is a machine M of interface E that is 
input-cooperative in the following sense: For allq € Q,, and e € In,, there exists r € Q,, 
such that <q, e, Mm € Trans,,. An 1/O-machine M of interface E is explicit if every step 
<q, 4, € Trans,, hasr = q. 


Definition - An //O-system is a tuple ¢ = <E, <M e ps where / is a finite, nonempty set of 
process indices, E C @,¢, F, is a system interface, and each M, is an explicit |/O-machine 
of interface F.w 


We associate with an |/O-system ¥ = <E, <M eps a system machine M defined as 
follows: 


Qy 
init I<, Init 
es heals 
Trans,, {<a ,e, £>: <q, 6(e), r> € Trans,, for all/ € /}, 
i 
where <6>,-, is the canonical decomposition map associated with E. & 


t 
wl 
2 
© 
= 


Definition - A computation for an |/O-system is just a computation for its system 
machine. I 


A computation X for an 1/O-system projects to computations X" for each of its 
constituent machines in the obvious way. 


We will be interested only in the "fair" computations of an |/O-system. To formally 
define the notion of fairness, suppose ¢ = <E, <MD ep is an |/O-system and M is the 
system machine. Suppose gq € Q,, is a system state. We say that process / runs in a 
step <q , e, ¢ > € Trans, if 5(e) is an output event for process i. We say that process i is 
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enabled in system State qg if thereis astep <q,e,r> € Trans,, in which process / runs. 


Suppose X is a computation for M. Process i is repeatedly enabled in X if for all t € 
[0, 00) there exists t’ € [t, 00) such that process i is enabled in State,(t). Process i 
repeatedly runs in X if for all t € [0, 00) there exists t’ € [t, 0©) such that process / runs in 
Step,(¢). 


Definition - A computation X for an 1/O-system is fair if for each process / in the 
system, if process / is repeatedly enabled in X, then process i repeatedly runs in X. 8 


5.2 1/0-Behaviors and !/0-Consistency 


Each computation of an 1/O-system produces an observation over the system 
interface. We call the set of all observations that are produced in fair computations of 
an |/O-system the "primitive behavior" of the system. This behavior is called 
“primitive” because it contains complete detail about the events that occur during a 
computation of the system. 


Definition - The primitive behavior PBeh(S) of a system of |/O-processes J is the set of 
all Obs, where X is a fair computation for ¢. 8 


By applying abstraction maps to the primitive behaviors, we obtain additional 
(nonprimitive) behaviors. We call any behavior that is the abstraction of a primitive 
behavior an "I/O-behavior." An abstraction map can suppress information in a behavior 
by mapping two distinct events of the same type (either input or output) to the same 
event, or by mapping an output event to A. To ensure that an abstraction map faithfully 
preserves the input/output structure of a behavior, we require that an abstraction map 
never map an input event to A, and never map an input event and an output event to the 
same event. Furthermore, we require that each abstract input event be the image of 
some concrete input event. 


Definition - An //O-abstraction map from the |/O-interface E to the |/O-interface D is a 
translation a: E — D with the following properties: 
(1) a(Out,) € Out, U {A}. (a preserves outputs) 
(2) afin.) € In,. (a strictly preserves inputs) 
(3) ais onto in,. 
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Definition - A behavior B € Beh(D) is an //O-behavior of interface D iff there exists a 
system ¥ of |/O-processes with system interface E and an |/O-abstraction map a: E -» D 
such that B = a(PBeh(%)). & 


The following result shows that the class of |/O-behaviors is a kind of completion 
under |/O-abstraction of the class of primitive behaviors. 


Theorem 5.1 - The class of !/O-behaviors contains all primitive behaviors and is closed 
under |/O-abstraction operators. 


Proof - Obvious from the definition of an !/O-behavior and the facts: 

(1) Identity translations are !/O-abstraction maps. 

(2) If a: F + E and g: E — D are |/O-abstraction maps, then 8 ° a is an 
\/O-abstraction map. I 


By taking the |/O-behaviors as our class of realizable or computable behaviors, we 
obtain the notion of "1/O-consistency” of specifications. 


Definition - A specification S of !/O-interface D is //O-consistent if there exists an 
1/O-behavior B of interface D such that B satisfies S. u 


5.3 Machine Characterization of 1/O-Behaviors 


To obtain techniques for proving the 1!/O-consistency of state-transition 
specifications, it is convenient to have a direct characterization, not involving 
1/O-abstraction maps, of the |/O-behaviors of interface E. Such a characterization is 
provided by Theorem 5.4 below. Theorem 5.4 states that the |/O-behaviors are exactly 
the sets of observations produced by "productive step machines," which are 
1/O-machines plus some scheduling information. 


Definition - A productive step set for an 1/O-machine M of interface E is a set Prod € 
Trans,, M Steps(Out_U{A,}, Q,,) that contains no null steps. & 


e3 
Definition - A productive step machine (PS-machine) of !/O-interface E is a tuple 


<M, <Prod> ic? where M is an 1/O-machine of Interface E and <Prod¢, is a finite, 
nonempty collection of productive step sets for M, such that Uje, Prod, equals the set of 
all nonnull steps <q, e, > € Trans, M Steps(Out,-U{A,}, Q,,). # 


Suppose that <M, <Prod rier is a PS-machine. The notions of the productive step 
set Prod, being enabled in a state of M and running in a step of M are defined in the 
obvious way. A computation X for M is fair if for each i € /, if Prod, is repeatedly enabled 
in X then Prod, repeatedly runs in X. Define the behavior Beh(M, <Prod,>,-,) of the 


PS-machine <M, <Prod,>,.> to be the set of all Obs, where X is a fair computation of M. 


The following lemma states that every PS-machine has the same behavior as a 
PS-machine whose productive step sets are pairwise disjoint. 


Lemma 5.2 - If <M, <Prod>.<> is a PS-machine of interface E, then there exists a 
PS-machine <M’, <Prod,'>,-> of interface E such that the collection <Prod, ><, is 
pairwise disjoint and such that Beh(M ’, <Prod, ied = Beh(M, <Prod)i¢,). 


Proof - The idea of the proof is to include a dummy "tag" component in the state of M ', 
so that steps in Prod,’ write j into the tag component. This ensures disjointness, since if 
i # j, then steps in Prod, and Prod, write different values into the tag component. 


Formally, define 
Quy: =Q,,X/ 
Init,,, = Init,, XJ 
Trans,,, = {<<q, k>, e, <r, m>>: (1)-(3) below all hold} 
(1) <q, e, > € Trans, 
(2) If <q,e, DE Vig, Prod,, then <q, e, r> € Prod, 
(3) If <q, e, r> € U,_-, Prod, then m = k. 
Prod,’ = {<<q, k>, e, <r, > € Trans,,.: <q, e, > € Prod} 
It is straightforward to check that M‘ is an !/O-machine of interface E and that the 
collection <Prod, ier is pairwise disjoint. 


To show that <M’, <Prod,">,.> is a PS-machine, we must show that the Prod,’ 
cover the nonnull output or A-steps in Trans,,.. If <<q, k>, e, <r, m>> is a nonnull output 
or A-step in Trans,,., then either m # k or <q, e, is a nonnull output or A-step in 
Trans,,. If m # k, then <q, e, > € U;_, Prod, by part (3) of the definition of Trans,,. and 
hence <q, e, > € Prod,, by part (2) of the definition of Trans,,.. By definition of Prod, iF 
we have that <<q, k>, e, <r, m>> € Prod, ", If <q, e, > is a nonnull output or A-step in 
Trans,,, then <q, e, > € U.,, Prod, because the Prod, cover the nonnull output or A-steps 
in Trans,,. By part (2) of the definition of Trans,,., we know that <q, e, r> € Prod_,, and 


hence <<q, k>, e, <r, m>> € Prod,‘ by definition of Prod, *. 


We claim that Beh(M ', <Prod, '>,..) = Beh(M, <Prod,>,,,). 


‘ 


Case Beh(M ', <Prod, >...) € Beh(M, <Prod ric) 


Each computation X' of <M’, <Prod,’>,..> defines a computation X of 
<M, <Prod,>,_,2, which we obtain simply by deleting the tag information from X. Suppose 
X ‘is fair and that Prod, is repeatedly enabled in X. It is easy to see from the definition of 
Prod,’ that if Prod, is enabled at time t in X, then Prod,‘ is enabled at time t in X '. Hence 
Prod,’ is repeatedly enabled in X ', and thus repeatedly runs in X ‘ by the assumption 
that X ' is fair. If Prod,’ runs at time t in X ', then by definition of Prod,’ it follows that 
Prod, runs at time t in X, so that X is fair. 


Case Beh(M, <Prod,>,.,) € Beh(M ', <Prod, >,-,): 


Given a fair computation X of <M, <Prod> ic? we wish to construct a fair 
computation X ' of <M‘, <Prod, '>,-> that generates the same observation. We construct 
X' from X simply by filling in appropriate tag information to match the occurrence of 
productive steps in X, however we must do this in such a way that X ‘is fair. 


To construct X ', let f: T - Steps(E, Q,,) be a history skeleton that spans X, where T 
= <t>,¢y; Suppose Step,(t,) = <q,, 6, 9,,,> for each k € N. By a straightforward 
inductive construction involving fair scheduling of the elements of /, we can obtain a 
sequence <m,>,¢y of elements of / such that <<q,, m,>, @,. <Q, , 41/7, ,.>> € Trans,,. for 
all k € N, and such that if <4,: 8,3 1,2 € Prod, for infinitely many k € N, then m, = / for 
infinitely many k € N. The history skeleton f' that maps t, to the step <<q,, m,>, @,, 
<Q,47°™,, p> then defines the desired fair computation X ‘of M'. § 


The lemma below shows that the class of behaviors of PS-machines is closed 
under !/O-abstraction. 


Lemma 5.3 - Given a PS-machine <M, <Prod,>¢> of interface E, and an 1/O-abstraction 
map a: E — D, there exists a PS-machine <M’, <Prod, ‘ep Of interface D such that 
Beh(M ’, <Prod,>,<,) = a(Beh(M, <Prod>,<)). 


Proof - The basic idea of the proof is simple: M ‘and the Prod, ' are defined by taking 
the images of M and the Prod, under a. There is one problem with the straightforward 
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execution of this idea: the Prod,’ might contain null steps. We solve this problem by 
introducing into the state of M’ an "idling counter," which is a boolean component 
whose only purpose is to change state upon execution of productive steps. 


Formally, define <M ', <Prod, '>,-,> as follows: 


Q, ' = Qu x {0, 1} 
Init,,, = Init, x {0, 1} 
Trans,,, = {<<q, b>, a(e), <r, c>>: (1) and (2) below both hold} 


(1) <q, e, > € Trans,, 
(2) If <q, 6, DOE Use, Prod, thenc = 1~b, otherwisec = b. 
Prod,’ = {<<q, b>, a(e), <r, c>> € Trans,, .: <q, @, > € Prod}. 


We claim that M ‘is an 1/O-machine. It is clear that Init,,. is nonempty. Part (2) of 
the definition of Trans,,. does not prevent Trans,,. from containing all null steps, since 
no such step can be in U,,, Prod, Thus M’ is a machine. To show that M' is 
input-cooperative, suppose <q, b> € Q,,. and d € In,. Since a is onto In, and preserves 
outputs, there exists e € In, with a(e) = d. By the input-cooperative property of M, there 
exists r with <q, e, D € Trans,,. Since <q, e, > € U,_<, Prod, by the fact that e is an input 
event, it follows that <<q, b>, d, <r, b>> € Trans,, «. 


We next show that <M‘, <Prod, {er is a PS-machine. By definition Prod,’ € 
Trans,,- for all i € /. Since each step in Prod, is an output or A-step and a preserves 
outputs, it follows that each step in Prod,‘ is an output or A-step. Each Prod,’ contains 
no null steps because the idling counter is complemented in each step in Prod, '. To see 
that every output or A-step in Trans,,. is in some Prod, ‘, note that because a strictly 
preserves inputs, each output or A-step in Trans,,. cannot be the image of an input step 
in Trans,,, and therefore must be the image of an output or A-step in Trans,,. Since the 
Prod, cover all output or A-steps of Trans,,, it follows that the Prod,’ must cover all 
output or A-steps of Trans,, 


We claim that Beh(M ', <Prod,">,.,) = «(Beh(M, <Prod),<))). 


Case a(Beh(M, <Prod,>,<,)) € Beh(M ‘, <Prod, ><): 


Each computation X of M maps in an obvious way (by taking the image of the 
observation part under a, and deleting the idling counter from the state part) to a 
computation X ' of M’, such that Obs,. = a(Obs,). It suffices to show that if X is fair, 


then so is X’. Suppose that X is fair. Fix i € /, and suppose that Prod,’ is repeatedly 
enabled in X’'. We claim that Prod,’ repeatedly runs in X'. By definition, Prod,’ is 
enabled in state q iff Prod, is enabled in state q. It follows that Prod, is repeatedly 
enabled in X, and hence by fairness of X, that Prod, repeatedly runs in X. By definition of 
Prod, ', if Step, (t) € Prod, then Step, (t) € Prod, ’. Thus Prod, ‘repeatedly runs in X ’. 


Case Beh(M ', <Prod, >...) € a(Beh(M, <Prod,>.<,)): 


Suppose that x‘ € Beh(M ', <Prod, ie): and let X‘ be a fair computation of M’ in 
which the observation x‘ is generated. We will construct a fair computation X of M, 
such that a(Obs,) = x’. The idea is simply to choose inverse images under a of the 


steps in X ‘, however this must be done carefully to ensure fairness. 


Let T = <t,>,-y be a skeletal sequence that spans X'. Suppose Step, (t,) = 


<<q,,6,>, d,, <r,, ¢,>> for each k € N. 


For each k, since <<q,, 5,>, d,, <r,,¢,>> € Trans,,., we can select e, such that d, = 
a(e,) and <q,, e,,7,> € Trans,,. Because a might map two different e’s to the same d, we 
can't necessarily select the e, in such a way that for each j € /, the step <q,, @,, > € 
Prod, iff <<q,, b>, d,, <r,, 6,22 € Prod, ’. However, by making sure that we don’t 
persistently neglect some Prod, ‘, we can select the e, in such a way that for each i € /, if 
<q, b>, FR c,>> € Prod, for infinitely many k, then <q,3 ey, > € Prod, for infinitely 
many k. 

The function f that takes t, to the step <q,, e,, r,> is a history skeleton over E,, and 
Q,, By Lemma 3.5 there is a unique history X such that f spans X. It is easily verified 
that X is a computation of M, with a(Obs,) = x’. To show fairness, fix / € / and suppose 
that Prod, is repeatedly enabled in X. We claim that Prod, repeatedly runs in X. From the 
definition of Prod,’ we know that Prod, ' is repeatedly enabled in X ‘. By the fairness of 
X‘ we know that Prod,’ repeatedly runs in X '. This implies that <q,, d,, 7,> € Prod,’ for 
infinitely many k, and hence by construction that <q, e,, 7,2 € Prod, for infinitely many k. 
It follows that Prod, repeatedly runs in X. § 


The following theorem is our desired characterization of the 1/O-behaviors: a 
behavior is an |/O-behavior iff it is the behavior of a PS-machine. 


Theorem 5.4 - Suppose D is an |/O-interface. Then a behavior B € Beh(D) is an 


1/O-behavior of interface D iff B = Beh(M, <Prod>,..) for some PS-machine <M, 
<Prod,>,<,> of interface D. 


Proof - => Since the class of behaviors of PS-machines is closed under 
1/O-abstraction by Theorem 5.1, it suffices to show that every primitive behavior B is the 
behavior of a PS-machine. Suppose B = PBeh(¥), where f = <E, <M),-> is an 
1/O-system. We associate a PS-machine <M, <Prod,>,.,> with J as follows: The machine 
M is the system machine for J. The set Prod, is the subset of Trans,, in which process / 
runs. Since a step in which process / runs is always an output step, it is clear that Prod, 
is a productive step set for M. Since every nonnull output or A-step in Trans,, is in fact 
an output step for some process / € /, and hence is in Prod,, it follows that the Prod, sets 
cover the nonnull output or A-steps in Trans,,. 


It is obvious that the set of fair computations of the system # is exactly the set of 
fair computations of the PS-machine <M, <Prod>i-P, and thus PBeh(f) = 
Beh(M, <Prod>,<,). 


<= Suppose that <M, <Prod)>i¢> is a PS-machine of interface D. We construct an 
I/O-system S = <E, <M>-> and an !/O-abstraction map a: E -» D, such that 
Beh(M, <Prod>,-,) = a(PBeh(%)). 


Without loss of generality we make the following three assumptions about 

<M, <Prod>¢: 

(1) The set Init,, Of initial states for M contains exactly one state Qo 

(2) For allq € Q,, and alle € In,, there is a unique r € Q,, such that <q,e, DOE 
Trans,,. 

(3) Prod, Prod, = Ofori + j. 
A PS-machine <M ', <Prod, '>,.,> that does not have these three properties can easily be 
transformed, without changing its behavior, into a PS-machine <M, <Prod>i¢? that does 
have these properties. We first obtain properties (1) and (2) by buffering input events in 
an input queue in the order that they occur so that the change of state associated with 
an input event is just to append the event to the end of the input queue. All 
nondeterministic choice, including the choice between multiple initial states, is 
absorbed into the output steps. 


Formally, we transform the PS-machine <M’, <Prod, EP into a PS-machine 
<M", <Prod, ">... by defining State,,.. to consist of all pairs <q, u>, where q is either an 
element of State,,. or the distinguished symbol 1, and u € In,*. The single initial state 
of M" is the state <1, A>. The transition relation Trans,,.. consists of all steps <<q, u>, e, 
<r, v>> such that 

- Ife € In, thenr = q and v = ue. 
- Ife € Out, U {A,}, then v = A, and either 
(a) <q, ue, r> is in Trans,,.*, or 
(b) q = 1 and <s, ue, m € Trans,,.* for some s in Init,,.. 
The set Prod, " consists of all steps <<q, u>, e, <r, v>> € Trans,,.. such that for some state 
s of M’, the step <s, e, Dm € Prod, ‘, and in addition, either q # . and the step <q, u, s> is 
in Trans,,.*, org = 1 and for some q ' € Init,,. the step <q ', u, s> is in Trans,,.*. 


Once <M", <Prod,">,.> with properties (1) and (2) is obtained, it can be 
transformed into <M, <Prod,>,.,> with all three properties by an application of Lemma 5.2. 


We now proceed to the construction of ¥. The idea is as follows: The system # will 
contain one process for each j € |. The processes in ¢ perform a lock-step simulation of 
the machine M. The interface for each of the processes in the system Sf consists of the 
null event, the input events of D, and the set of all productive steps for M. The input 
events for process / will be the input events of D and the steps in Vier Prod. The 
output events for process j will be the steps in Prod,. Each process keeps track of the 
current simulated state of M, and permits an output event to occur only if the event 
corresponds to a step of M from the current simulated state of M. To ensure that the 
input-cooperative property holds, process j imposes no requirements on the state from 
which a step in Prod, can occur, if j # i. 


Formally, define the |/O-interfaces F, as follows: 
Foo {r,} + In, + Ue Prod, 
In, = In, + Viengy Prod) 


Out, = Prod, 


Define the system interface E C F = ®,-, F, as follows: 
E = {ft €Ff, =f foralli,j€ 1} U {A,} 
A; =A; 


In, = EM In, 


Out, = EM Out, 
It is easy to see that the inclusion map y: E — F is an embedding. For each f € Ing, the 
identically f vector <f,,, is in E. By the assumption that the Prod, are pairwise disjoint, it 
follows that the identically f vector <),,, is in E for each f € Out, as well. This shows that 
a,° y is onto F,, where the a, are the canonical projections associated with F. 


Define a: E — D to be the translation that behaves in the following way on the 

identically f vector <A,<, € E: 

- Iff Ein, then a(<f>,,) = fF. 

- Iff = <q, d, > € Prod; for some i € /, then a(<f>,.,) = d. 
We claim that a is an !/O-abstraction map. It is clear that a is onto Inj. The map a 
preserves outputs because if the identically f vector is an output event of E, then f € 
Prod, for some i and hence f is an output or A-step. To show that a strictly preserves 
inputs, suppose the identically f vector Mic; is an input event of E. Then f € inp so 
a(<fi¢) = fE inp. 


The machines M, are defined as follows: 


Eu, = F, : 


(1) f= A, and r = q, 

(2) f € In, and <q, f, > € Trans,,. 

(3) f = <q',d, DE Prod, for some j # i. 

(4) f = <q, d, r> € Prod, 
Obviously M, is a machine and every step <q, Ap. me Trans,,_ has r = q. To see that M, 
is input-cooperative, suppose q € Qu, and f € In, Then either f € Inn orf € Prod, for 
some j # i. If f € In, then f is enabled in state q by part (2) of the definition of Trans, 
because M is input-cooperative. If f = <q',d, D € Prod, for some j # i, then f is enabled 
in state q by part (3) of the definition of Trans, . 


A straightforward induction establishes that if g is a reachable state of the system 
J, then gq, = qj for all i,j € J. This argument uses the assumed uniqueness of the initial 
state of M, plus the assumption that a state q and an event e € In, uniquely determine a 
State r such that <q, e,  € Trans,,. Intuitively, since the processes in ¢ do not interact 
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with each other during input steps, the uniqueness assumptions are needed to ensure 
that all processes reach the same new state in each such step. 


There is an obvious correspondence between the steps of the machine M and the 
steps of the system ¥. Specifically, each step s = <q, d, > of M determines a step s‘ = 
<q ,e, £ > of Sunder the definitions: 

- g is the identically q vector 
- ¢ is the identically r vector 
-e@=Ad,, if s is null 
= <d>.-, ifd € In, 
= <S),¢~ if s is a nonnull output or A-step. 


It easy to see that a step s of M is enabled in state q of M iff the corresponding step 
s ‘is enabled for the system in state <q>,¢; The correspondence between the steps of 
M and the steps of £ therefore defines a bijection between the set of computations of M 
and the set of computations of ¥, such that if X' is a computation of f and X is the 
corresponding computation of M, then Obs, = a(Obs,.). Furthermore, a step s of M is 
in Prod, iff process j runs in the corresponding step s‘ of J, so that fairness is preserved 
in both directions of this correspondence. It follows that a(PBeh(‘)) = 
Beh(M, <Prod)>,-,). @ ; 


/ 
The following two properties of |/O-behaviors are easily derived from the 
PS-machine characterization. 


Corollary 5.5 If B is an |/O-behavior of interface E, then B # @. 


Proof - Suppose B = Beh(M, <Prod>,,.). It suffices to show that there is a fair 
computation of M. We construct a sequence q,, q,, ... of states of M, and a sequence 
Gp; €,, --. Of events of E, such that the following properties hold: 

(1) <q,5 6,5 9,4 42 € Trans,, for all k € N, 

(2) For each i € /, either Prod; is enabled in only finitely many of the q,, or else 
the step <q,, €,, 9, , ,2 iS in Prod, for infinitely many k. 
Letting t, = k for each natural number k and applying Lemma 3.5 yields a fair 
computation of M. 
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To construct the q, and e,, first let Gp € Init,, be chosen arbitrarily. We maintain a 
running assignment of priorities to the elements of A so that at each stage of the 
construction / is more urgent than | iff a step in Prod, has been chosen less recently than 
a step in Prod. At stage k, where k > 0, we choose e, and q, , , So that <q,, e,,q, , > € 
Prod,, where / is the most urgent element of / such that Prod, is enabled in state q,- If no 
Prod, is enabled in state q,, then we lete, = A andq, |, 


A behavior B is asynchronous if whenever x € B and f: [0, 00) — [0, ©) is an 
order-isomorphism, then x °f € B. 


Corollary 5.6 - 1/O-behaviors are asynchronous. 


Proof - Straightforward from the observation that if X is a fair computation of a 
PS-machine <M, <Prod,>,> and f: [0, 00) -» [0, ©0) is an order-isomorphism, then X ¢ f is 
also a fair computation of <M, <Prod>,<?- f=4q,. 0 


5.4 Examples of |/0O-Behaviors 


In this section we give two examples of !/O-behaviors and an example of a 
behavior that is not an 1/O-behavior. 


Example 1: An1/0O-Behavior: 


As an example of how |/O-behaviors can be used to model a system capable of 
Satisfying eventuality requirements, imagine that we wish to model the behavior of a 
“black box" to which input stimuli can be applied by pressing a single button, and from 
which output can be observed by flashes of a single light bulb. The black box has the 
property that every press of the button is later followed by a flash of the light bulb, and 
no flashes of the bulb occur unless the button has been pressed at least once since the 
time of the most recent previous flash. 


The interface of such a black box is the |/O-interface E with E = {A, button, flash}, 
In, = {button} and Out, = {flash}. The behavior of the black box is defined by a 
PS-machine M of interface E. Intuitively, a push of the button sets a flag in the state of M 
to true. A flash of the light can occur only when the flag is true, and causes the flag to 
be reset to false. There is one productive step set Prod, which contains exactly those 
steps in which flashes occur. 


Formally, 
Ey, =E 
Q, = {true, false} 
Init, = {false} 


Trans,, = {<q, button, >: r = true} U (<true, flash, false>} U 
{<q, A, g>:q €Q,)}. 
Prod = {<q, flash, r> € Trans, } 
That <M, Prod> is a PS-machine of interface E is easily checked. 


Let B = Beh(M, Prod), so that B is an 1/O-behavior. Through analysis of the fair 
computations of M it can be shown that an observation x € Obs(E) is in 8 iff there is a 
surjective total function f: {t € [0, 00): x(t) = button} — {t' € [0, 00): x(t’) = flash} such 
that for all t € [0, ©), f(t) is the least t' € (t, 00) such that x(t’) = flash. That is, an 
observation x is in B provided that in x, every push of the button "causes" a future flash 
of the light, and every flash of the light is caused by some collection of recent past 
pushes of the button. 


Example 2: Two Productive Step Sets 


We can give an example of an I/O-behavior that is not the behavior of a 
PS-machine with one productive step set. Let the interface E be defined by: E = 
{A, button, flash1, flash2}, where In, = {button} and Out, = {flash1, flash2}. Let B be 
the set of all x € Obs(E) such that the following properties hold: 

(1) Occurrences of flash? appear only between the 2kth and 2k+1st 
occurrences of button, where k € N. 

(2) Occurrences of fliash2 appear only between the 2k+1st and 2(k + 1)st 
occurrence of flash. 

(3) x contains infinitely many occurrences either of flash1 or flash2 

(4) If x contains infinitely many occurrences of button, then it contains infinitely 
many occurrences of both flash? and flash2. 
It is straightforward to show that B is the behavior of a PS-machine of interface E with 
two productive step sets, one that governs the occurrence of flash? events and one that 
governs the occurrence of flash2 events. 
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Suppose 8 is the behavior of a PS-machine <M, Prod> with one productive step 
set. Construct a computation of M by repeating the following procedure: Run M until a 
flash? event is produced, then run M for two steps containing a button input. It is always 
possible to obtain the flash? events in this construction, since otherwise we could 
construct a fair Computation in which only finitely many flash? events and no flash2 
events occur. It is always possible to run the button events by the input-cooperative 
property of M. 


The above construction yields a computation X of M that must be fair, since it 
contains infinitely many steps in which the output event flash? occurs, and which must 
be in the single productive step set Prod because Prod contains all output steps of M. 
However, X generates an observation in which infinitely many button events occur, but 
no flash2 events occur. 


Example 3: A Non-i/0-Behavior 


We can also give an example of a set that is demonstrably not a |/O-behavior. 

Define the 1/O-interface E as fuilows: 

E = {A, button, flash} 

In, = {button} 

Out, = {flash}. 
Let the behavior B € Beh(E) be the set of all x € Obs(E) such that x contains an infinite 
number of occurrences of flash, and such that either the number of occurrences of 
button in x is finite or ( # flashes in x on the interval [0, t))/ (# buttons in x on the interval 
[0, t)) + Oast — 00. 


We argue that B is not an !/O-behavior of interface E. Suppose <M, <Prod>,.> is a 
PS-machine of interface E, whose behavior is B. Construct a computation X for M by 
repeating the following procedure: Run M without input until a flash event is produced, 
then run M for one step with a button input. We can run Mf until a flash event is 
produced by always trying to take steps in which flash events are produced, if possible, 
otherwise taking some other productive step. During this construction, we make sure to 
use a fair scheduling algorithm to determine which of the Prod, should be executed at 
each step. We can never reach a state in which no productive steps are enabled, 
otherwise we could construct a fair computation in which only finitely many flash events 
are produced. We can run M at any time with a button input by the input-cooperative 
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property of M. 


The above construction yields a computation X of M that must be fair, since the fair 
scheduling of the Prod, ensures that every repeatedly enabled Prod, will be repeatedly 
run. However, computation X generates an observation x that contains infinitely many 
occurrences of button events, and in which the ratio of the density of flash events to 
button events approaches one in the limit, rather than zero. This contradicts the 
assumption that Beh(M, <Prod,>,<,) = 8. 


§.4.1 Proving I/0-Consistency 


From the PS-machine characterization of the |/O-behaviors we obtain the 
following test for 1/O-consistency of subset specifications. 


Theorem 5.7 - Suppose that S is a subset specification of |/O-interface E. Then S is 
1/O-consistent iff there exists a PS-machine <M, <ProdD <P of interface E such that 
Beh(M, <Prod>.<,) C O(S). 


Proof - Obvious. 8 


If S = <M, V) is a state-transition specification, then to show the !/O-consistency 
of S, it suffices to define a collection of productive step sets for M, such that every fair 
computation of M is in the set V of valid computations. 


Corollary 5.8 - Suppose that S = <M, V> is a state-transition specification of 
1/O-interface E. Suppose that <M, <Prod)¢? is a PS-machine of interface E. If every 
fair computation of M is in V, then S is |/O-consistent. 


Proof - Since <M, <Prod>,.> is a PS-machine of interface £, it follows that 
Beh(M, <Prod,>,,,) is a 1/O-behavior of interface E. Since every fair computation of M is 
in V, we know that Beh(M, <Prod>,.,) € 0(S). By Theorem 5.7, S is |/O-consistent. § 


To illustrate the use of this result, we apply it to a simple example specification: A 
neuron is a module with a single input event in, and a single output event out. The state 
set for the neuron is the set {ff, tt}. At any instant of time, if the state of the neuron is tt, 
then the neuron is said to be excited, otherwise the neuron is said to be inhibited. 
Initially the neuron is excited. An in event can occur at any time, and causes the neuron 
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to become inhibited. If the neuron is excited, then it can fire, producing an out event, 
and then becoming inhibited. The neuron should satisfy the condition, "If the neuron 
becomes excited and remains that way, then eventually it will fire.” 


The neuron module description can be formalized as a_ state-transition 
specification. 
ENEU = {), in, out} 
InNEU = {in} 
OutNEY = {out} 


QNEU re {ff, tt} 


initNEY = {tt} 
A step <q, e, > € Trans'EY iff either e = A andr = q or one of the conditions (in), (out) 
below holds: 


(in) e = inandr = ff 


(out) e = outandg = tt 


The neuron module validity condition is defined by: 
ValidNEUV = O(O(Now = tt) ~ O(Occurs = out)), 


To show the |/O-consistency of the neuron specification, we define a single 

productive step set ProdNEY as follows: 

<q, e, r> € ProdN€¥ iffe = out, q = tt, andr = ff. 
It is clear by inspection that MNEY is input-cooperative, and that Prod'®” is a productive 
step set for MNEU. To show the !/O-consistency of the neuron specification, we must 
show that every fair computation of MNEY is valid. That is, 

CompNEY a FairNEY te Valid NEY, 
where 

FairNEU = 9OEnabled™©4(Now) —- O0ProdNE4(Now, Occurs, After) 

Enabled™EU(q) = (3e€ENEY, ¢ € QNEY) ProdNEY(q, @, 1). 
We claim the stronger property 

FairNEY p= ValidNEY, 
To show this, we use the neuron module specification and the definition of ProdNE” to 
expand the term FairNEY. From the definition of Prod’ we obtain 
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Enabled“®4(q) = q = tt, 
and hence that 

FairNEY = OO(Now = tt) ~ OO(Now = tt A Occurs = out A After = ff). 

By straightforward temporal and propositional reasoning it is now easy to see that 

O¢(Now = tt) ~ OO(Now = ttA Occurs = out A After = ff) 

FE 2(0O(Now = tt) ~ O(Occurs = out)), 
That is, if we suppose that : 

(1) whenever the state repeatedly takes on the value one then it is also 
repeatedly the case that an out event occurs (which takes the state from one to zero), 
then we are entitled to conclude that 

(2) whenever the state is persistently one after some instant, then there is a 
later instant at which an out event occurs. 


We can use the PS-machine characterization of the 1/O-behaviors to show the 
1/O-inconsistency of a slightly stronger version of the neuron specification, obtained by 
using the stronger validity condition 

ValidNEU = O(New = tt O(Occurs = out)). 
This condition states that if the neuron is ever excited for a single instant, then it must 
eventually fire. Suppose there is a PS-machine <M, <Prod>,<> of interface ENEY such 
that Beh(M, <Prod>,.) satisfies the strong neuron specification. Construct a 
computation of M as follows: Run M for one step with input in, and then repeatedly run 
productive steps of M if possible, otherwise null steps, being sure to schedule the 
occurrences of Prod, fairly. The result is a fair computation X of M. 


Since the observation x = Obs, satisfies the strong neuron specification, there 
must exist a valid computation X' of MEY such that Obs,. = x. In X', the neuron 
module is excited at time 0, an in event occurs at time 0, and no input events occur after 
time 0. Consequently, the neuron module is inhibited after time O, and thus no out 
events can appear in x because X ' is a computation of MEY. Thus, in the computation 
X' of MNEU the neuron module is excited at time O but no out events subsequently 
occur. This means that the computation X ‘ of MNEY fails to satisfy the validity condition 
ValidY, a contradiction. We conclude that the PS-machine <M, <Prod>,,> cannot 
exist and the strong neuron specification is 1/O-inconsistent. 
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5.4.2 1/0-Consistency of the Specification SC 


As an extended example of an 1/O-consistency proof, we prove the 
1/O-consistency of the synchronizer component module specification. For the 
Prod. ocen_out’ and Prod, equest_out’ defined 


productive step sets, we use the sets Prod,_,,, 


as follows: 

Prod.,.(q; 6,1) =e = run Trans*“(q, e, r) 

Prodyen_out(T> 2") =e = token_out A Trans®“(q, @, r) 

Prod,equest_out(7: @) = @ = request_out A Trans°“(q, @, r). 
It is easily checked that <MS°, <Prod,, Prod.ven out! PTO request.out?” iS @ PS-machine of 
interface ES“, 


We must show that each fair computation is valid; that is, 


Comp“x A FairS° A Fairse cut A FOU eet cic k= ValidS¢, 
where 
FairS¢ = O0EnabledS¢ (Now) -> 
C1Prod8° (Now, Occurs, After) 
Fairer enout = O¢EnabledS< (Now) > 
sc 
OOProdiken_ourlNow, Occurs, After) 
i se sc 
| pee = OOEnabled™ vest out(NOw) -* 
sc 
DOProdrecuest.out\NOw, Occurs, After) 


and each EnabledS“(q), where i € {run, token_out, request_out}, is a formula that 
expresses the conditions under which ProdS© is enabled in state g. Using the 
definitions of the Prod, given above, we derive the following expressions for Enabled,» 


Enabled, .,en_out! 2nd Enabled. vestout! 
Enabied, ,,(q) = q(ustate) = trying A q(token) # 0 
Enabled. ocen_out(9) = q(ustate) # running A q(token) # O 
Enabled .uest_out() = q(token) = 0 
To show 
sc . ° Sc . 2 Sc 
Comp A FairS° a Faire en_out Fal casionk k= ValidS¢, 


we assume Comp®s, RelyS°, ~Guar®°, Fair... Fait penout! 290 Fair eauest ou aNd 
derive a contradiction. That is, we consider a fair computation in which the 
synchronizer component module rely-conditions are satisfied, but in which the 
guarantee-conditions are not satisfied. If ~GuarS© holds, then either 

(A) “70 (Now(ustate) = trying ~ O(Now(ustate) = trying)) 
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or 
(B) 7O(Occurs = request_in) ~ (Occurs = token_out)). 

Thus the proof can be split into two cases, one headed by assumption (A), and the other 

by assumption (B). 


Case (A): Suppose that (A) holds. Then by temporal reasoning, we have 

©(Now(ustate) = trying A O(Now(ustate) = trying)) 
(*) ©O(Now(ustate) = trying) 
That is, it is persistently the case that the user process is trying. By definition of 
Trans®°, the following is valid: 

Comp®% = O(Occurs = run > After(ustate) # trying) 
and thus, using the temporal tautology F O(¢(After) + O»(Now)), that 

CompS% = ©O(Now(ustate) = trying) - ©O(Occurs # run). 
Intuitively, since occurrence of run results in the user process leaving the trying state, if 
the user process is persistently trying, then it must be the case that a run event 
persistently does not occur. Applying this to formula (*) yields 

- 90 (Occurs # run A Now(usiaie) = trying) 

That is, it is persistently the case that the user process is trying but a run event never 
occurs. Using the definition of Prod,, we conclude 

©O(—Prod, (Now, Occurs, After) A Now(ustate) = trying). 
By applying of the hypothesis that Fair, holds, we obtain 

©O(7Enabled, (Now) A Now(ustate) = trying). 
Using the expression for Enabled, , obtained above, we have 

©O(Now(token) = 0 a Now(ustate) = trying). 
That is, it is persistently the case that the synchronizer component module possesses 
no tokens, and the user process is trying. Using the hypothesis that Fair, savant out holds, 
we obtain 

O%¢(Occurs = request_out) A OO(Now(token) = 0). 
That is, it is repeatedly the case that request_out occurs, but persistently the case that 
the synchronizer component module possesses no tokens. Applying the hypothesis 
that Rely®° holds, we conclude 

ON(Now(token) # 0) A OO(Now(token) = 0). 
That is, it is repeatedly the case that the synchronizer module possesses a token, but 
persistently the case that the synchronizer module possesses no tokens. This is a 
contradiction, and we conclude that case (A) is impossible. 
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Case (B): Suppose that (B) holds. Then by temporal reasoning, we have 

©(Occurs = request_in A O(Occurs # token_out)). 
That is, eventually there is a point at which a request for the token is received, but no 
token is ever sent in response. Using the definition of PrOd, .en_out’ and temporal 
reasoning, we obtain 

OD™Pr0d,cen_outlNow, Occurs, After). 
Application of the hypothesis that Fail oken_out holds, we have 

OO™Enabled, pen_outtNOw): 
That is, it is persistently the case that a token_out event is not enabled. Using the 
expression for Enabled, o.en_out obtained above yields 
{**) ©O(Now(ustate) = running v Now(token) = 0). 
Thus, it is persistently the case that either the user process is running or the 
synchronizer component module possesses no token. We now use the temporal 
tautology F OO(9 v ¥) ~ (O%@ v OOy¥). Intuitively, this says that if it is persistently 
the case that p v ¥ holds, then either » holds repeatedly, or else ¥ holds persistently. 
Application of this tautology to (**) gives 

OO(Now(ustate) = running) v OO(Now/(token) = 0). 
That is, either the user process is repeatedly running, or the synchronizer component 
module persistently has no token. We now split the proof into two subcases, depending 
upon whether 

(B1) O(Now(ustate) = running) 
or 

(B2) ©O(Now(token) = 0) 
holds. 


Subcase (B1): Suppose that (B1) holds. Application of the hypothesis that RelyS° holds 
gives 
0>(Now(ustate) = running) A 00(Now(ustate) # running). 


Next, we use the temporal tautology 
= (O909(Now) A DO79(Now)) — 00(9(Now) A 79 (After)). 
Intuitively, if it is repeatedly the case that » holds of the current state, and it is repeatedly 
the case that —q holds of the current state, then it must repeatedly be the case that a 
point is reached where holds of the current state and ~q holds of the "next" state. 
Application of this tautology in the present situation gives 
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O%0(Now(ustate) = running A After(ustate) # running). 


In addition, we need the following invariance property: 

Comp®“. & O(Now(ustate) = running ~ Now(token) # 0). 
The validity of this sentence can easily be shown by Corollary 3.7, and the details are 
omitted. Using this, plus the fact that 

= (Vq,r€State, e€Event)((Trans®“(q, e, r) A q(ustate) = running 

A r(ustate) # running) — r(token) = q(token)), 

which is verified by case analysis on e, we obtain 

¢(After(ustate) # running A After(token) # 0). 


Let us examine the intuitive content of the preceding steps. If the user process is 
running in the current state and not running in the “next" state, then the following must 
be true: Since the synchronizer component module must possess a token whenever the 
user process is running, and no event that takes the user process out of the running 
state can affect the number of tokens possessed, it must be the case that the 
synchronizer component module possesses a token in the next state as well. 


Another use of the temporal tautology = O(¢(After) - O¢(Now)), we obtain 
OO(Now(ustate) # running A Now(token) # 0), 
which is a contradiction with formula (**). We conclude that subcase (B1) is 
impossible. 


Subcase (B2): Suppose that (B2) holds, that is 
©O(Now(token) = 0). 
Then by definition of Enabled... est_out WE have 
ODEnabled,, vest. ou(Now), 
and thus by the hypothesis that Fall, ccuest-pul holds, we infer 
O0(Occurs = request_out). 
That is, it is repeatedly the case that request_out events occur. By the hypothesis that 
RelyS° holds, we conclude 
OO(Now(token) # 0) 
a contradiction with (B2). We conclude that subcase (B2) is impossible, and hence that 


case (B) is impossible. 
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Since both cases (A) and (B) have been shown to be impossible, we conclude that 
the original hypotheses are contradictory, and thus the synchronizer component 
module specification is |/O-consistent. 


5.5 Composition of |/0O-Behaviors 


We have previously shown that the class of |/O-behaviors is closed under the 
abstraction operators associated with the |/O-abstraction maps. In this section, we 
define the class of "I|/O-decomposition maps," and show that the class of |/O-behaviors 
is also closed under the composition operators associated with these maps. 


5.5.1 1/0-Decomposition Maps 


When we defined the notion of a system interface above, we noted that there is a 
canonical decomposition map (and hence a composition operator) associated with 
each system interface. We would now like to extend the notion of composition 
associated with system interfaces so that we can view behaviors of non-system 
interfaces as a composition of component behaviors. The most natural way to do this is 
to require that the the domain of a decomposition map be a system interface only up to 
isomorphism. | 


Definition - An isomorphism from the !/O-interface E to the 1/O-interface D is a 
bijective translation y: E - D such that y and y"' are embeddings. § 


Definition - An //O-decomposition map from the !/O-interface E to the collection of 
1/O-interfaces <F Dic, is a vector <6 i¢, Of translations, where 8: E — F,, with the following 
property: There exists a system interface E' C ®,,, F, and an isomorphism y: E > E', 
such that 6, = 8,’ ° y for all i € J, where <6, el is the canonical decomposition map 
associated with E’. 


From this definition, we can immediately derive a number of properties of the 
1/O-decomposition maps. 


Lemma 5.9 - If <5>,-, is an 1/O-decomposition map from E to <F>,-,, then 
(1) e # e' implies 5(e) + 5{e ') for some i € 1. (8 is injective) 
(2) 6(in,) C In, U {A,.} for alli €/. (& preserves inputs) 
i 
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(3) Ife € Out, then 6(e) € Out, for some i € /. (& strictly preserves outputs) 
i 
(4) 5; (Out,) n 8;*(Out,) = @whenever i #j. (Compatible Coupling Property) 
i 
(5) 6, is onto F, for alli € #. 


Proof - Straightforward. § 
5.5.2 Closure Proof 


We can now prove that the class of 1/O-behaviors is closed under the composition 
operators associated with |/O-decomposition maps. 


Theorem 5.10 - Suppose <&>,_, is an 1/O-decomposition map, where 6,: E — F,. If B, is 
an |/O-behavior of interface F, for each / € J, then § 1(B ) is an 1/O-behavior of interface 
E. 


Proof - Suppose that for each i € /, <M,, <Prod, >.<, is a PS-machine of interface F,, 
: i 


such that Beh(M,, <Prod, >,¢ a) = B,. We construct a PS-machine <M, <Prod, , Pie) a¢ A? 
of interface E such that Beh(M, <Prod, , "ic, »¢ es “(B ). 


Let M be defined as follows: 
Q, = Nhe, Qu, 
Init,, = Nhe, Inity, 
Trans,, = {<g,e,£>: such that <q, &(e), r> € Transy, for alli € /}. 
It is easy to check that Init,, is nonempty and that <q , A, @ > € Trans,, for alla € Q,,. 
Thus M is a machine. To show that M is an |/O-machine, we must show that it is 
input-cooperative. Suppose g € Q,, ande € In,. Since § preserves input, it follows that 
&(e) € in, U {A,} for each / € /. Since each M, is input-cooperative, for each i € / we 
can get r, such that <q,, 6,(e), r> € Transy,. It follows that <q , e, £ > € Trans,,. 


For each i € /, anda € A, define 
Prod,,' = {<a,e,£> € Trans,,: <q, 8{e), r> € Prod, , and e € In,}. 
It is clear that each Prod, ,' is a productive step set for M. To show that 
<M, <Prod, , icrac a? is a PS-machine, we must show that the sets Prod, , ’ cover the set 
of nonnull output or A-steps in Trans,,.. Suppose <q , 6, ¢ > is such a step. Then <q 
5(e), r> is a nonnull output or A-step for M, for some i € /, by the fact that § strictly 


preserves outputs: Since the collection <Prod, aca, covers the nonnull output or 
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A-steps for M,, we know that <q): 5(e), me Prod, . for some a € A,. Hence <a,e,r>€ 
Prod, .’. 


ha 


We claim that Beh(M, <Prod, , Dic; a¢ a) = §'(<Beh(M,, <Prod, aca) rep: 


Case Beh(M, <Prod, . Pic, 9¢ a) cé\(B): 


Each computation X of M maps in an obvious way (by taking the image of the 
observation part under 6, and the canonical projection of the state part) to a 
computation X, of M,, for each i € /. Suppose that X is fair. Let i € / and a € A, be fixed. 
We show that if Prod, , is repeatedly enabled in X,, then Prod,, repeatedly runs in X,. 
Suppose Prod he is repeatedly enabled in X,. 


We first show that, given g € State,,, if Prod, , is enabled in state q,, then Prod, , ‘is 
enabled in state g . If Prod, , is enabled in state q,, then there exists f, € Out, U {A} and 
r,€ Qn, such that <q, @, r> € Prod, ,. Since 6, is onto Out, we we can get e € Out, U 
{A,} with 5(e) = f. By the compatible coupling property of § , we know that 8(e) € Ing, 
Uf{ x for all j € 1 - {i}. For each j € / - {i}, by the input-cooperative property of M, we 
can get /, ‘ such that <Q): 5{e), y rE TIES: It follows that <g ,e, 6 > € Prod, , ‘, and 
thus Prod ha ‘is enabled in state gq. 


Since Prod ia ‘S Fepeatedly enabled in X, by hypothesis, and Prod, , enabled in state 
q, implies Prod, , ‘ enabled in state g , we know that Prod, , ' is repeatedly enabled in X. 
By the fairness of X, it follows that Prod, , ‘ repeatedly runs in X. By definition of Prod La - 
if Step,(t) € Prod, , ‘, then Step, (0) € Prod, a’ This implies that Prod, , repeatedly runs in 
X, 
Case § "(8 ) C Beh(M, <Prod, , i€La€A): 


Suppose that (x) € Beh(M,, <Prod, .s¢ a) for alli € /. For each i € /, let X, be a fair 
computation of M, in which the observation 6({x) is generated. We construct a fair 


computation X for M, such that Obs, =X. 


Without loss of generality we assume that the X, have the following property: For 
all t € [0, ©), if a productive A-step runs at time t¢ in X; for some i € /, then the step that 
runs at time t in X; is null for all j € / - {i}. If we are given a collection <X, >.<, for which 
this property does not hold, then it is a simple matter to construct order-isomorphisms f; 
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[0, 00) -» [0, 0) such that if X, = X,'° f, then Obs, = Obs, for all i and the desired 
property holds for the collection <X>,.,. Since the property of being a fair computation 
is preserved under stretching of [0, 9) by an order-isomorphism, it follows that each X, 
is a fair computation for M,. 


We now define X by letting Obs, = x and State,(t) = <State, (1)j¢, it is easy to 
see that X is a computation for M. 


To show that X is fair, suppose that Prod, , ' is repeatedly enabled in X. Since 
Prod, , enabled in state g implies Prod, , enabled in state q,, it follows that Prod, , is 
repeatedly enabled in X,. Since X, is fair, we know that Prod, , repeatedly runs in X,, We 
claim that if Step, (0) € Prod, , then Step,(f) € Prod, ,' as well, and hence Prod, .' 
repeatedly runs in X. 


By definition of Prod, , if Step, () € Prod, , then Step,(f) € Prod, . ‘, except in case 
Obs,(t) € In,. But if Obs,(t) € In(E), then the fact that 6, preserves inputs and Prod, 
contains only output and A-steps implies that Step, (1) = <q, A, r> € Prod,,. Since § is 
injective and preserves inputs, it musi be the case that Obs, (1) € In, for some j € / - {i}, 
and hence Step, (f) is nonnull. This contradicts our assumption that if a productive 


A-step runs at time t in X,, then the step occurring at time j in x, is null for all j €/— {i}. 8 
5.6 Alternative Classes of Computable Behaviors 


The class of 1/O-behaviors is by no means the only class of "computable" 
behaviors that it is interesting to consider. By replacing the fairness requirement for 
computations of i/O-systems with that of “weak fairness," in which a process is 
required to repeatedly run only if it is persistently enabled, rather than repeatedly 
enabled, we obtain the class of weak //O-behaviors (WI/O-behaviors). It can be shown 
that every Wi/O-behavior is an |/O-behavior, but not every !/O-behavior is a 
WI/O-behavior. The notion of Wi/O-consistency is therefore strictly more stringent 
than |/O-consistency. 


Besides the fairness assumption, the definition of the class of 1/O-behaviors 
embodies several other choices that might have been made differently: 

(1) (Asynchrony) - The 1/O-systems model is an asynchronous model of 

computation. We might have chosen a timing-dependent model of computation instead. 


iis 


(2) (input/Output Structure) - Instead of focusing on interfaces with 
input/output structure, we might have chosen additional or alternative structure, such 
as interfaces in which events include information about the physical location at which 
’ they occur. . : 

(3) (Simultaneity) - The definition of an 1/O-system permits at most one 
process to perform an output at any instant of time. We might imagine a more general 
model in which any number of processes can perform an output at once. 


An interesting avenue for future research is to try to discover additional classes of 
behaviors and associated notions of consistency by modifying one or more of the above 
assumptions. 
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6. A Completeness Result 


A reasonable question to ask about the sufficient correctness conditions required 
by the Correctness Theorem is whether these conditions are also necessary. That is, is 
it the case that the maximality and validity conditions hold for every correct 
implementation involving state-transition specifications? In this chapter we show that in 
general the maximality and validity conditions need not hold for every correct 
implementation. However, it is possible to impose some well-formedness conditions on 
the state-transition specifications involved in the implementation, which are sufficient to 
ensure that correctness implies maximality and validity. The Completeness Theorem 
(Theorem 6.4) is the formal statement of this result. Although Theorem 6.4 is probably 
not the strongest result of this kind it is possible to prove, it nevertheless sheds some 
light on the limitations of the Correctness Theorem, and serves to motivate some 
well-formedness properties of state-transition specifications. 


6.1 Specification Domains 


The statement and proof of Theorem 6.4 depends crucially on the existence of a 
collection of interfaces, behaviors, abstraction maps, and decomposition maps with 
closure properties like those of the |/O-interfaces, |/O-behaviors, |/O-abstraction maps, 
and |/O-decomposition maps defined in Chapter 5. The definition of a “specification 
domain" below summarizes these properties, which seem like fundamental properties 
that are likely to be shared by other interesting models. 


Informally, a specification domain % contains four pieces of data: the 
"g-interfaces,” the "3-behaviors," the "3-abstraction maps," and the "3-decomposition 
maps." The 9-interfaces are interfaces with structure particular to the domain 9. For 
example, the !/O-interfaces are those whose non-A events are partitioned into input and 
output events. For each 9-interface E, the 3-behaviors of interface E represent a class 
of “realizable" or "Computable" behaviors of interface E. Just as the definition of 
1/O-behavior depends upon the input/output structure of an !/O-interface, whether or 
not a behavior of 3-interface E is a 3-behavior of interface E will depend, in general, on 
the particular structure of the interface E. The 3-abstraction and 3-decomposition maps 
represent meaningful ways to abstract and decompose systems modeled by 
%3-behaviors. In general, these maps will have certain preservation properties with 
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respect to the particular structure of the interfaces, just as the |/O-abstraction and 
1/O-decomposition maps preserve input/output structure in various ways. 


The definition of a specification domain requires that the class of 3-behaviors be 
closed under the abstraction and composition operators associated with the 
%-abstraction and 3-decomposition maps. In addition to the properties of closure under 
abstraction and composition discussed above, we require a third regularity property of 
the 3-behaviors. This property, called "nondegeneracy," rules out the empty behavior 
as a 3-behavior of any interface. Intutively, the empty behavior does not model any real 
system, since it is always possible to obtain an observation of a real system, even if that 
observation is only the null observation A. 


Definition - A specification domain 3 consists of the following: 

- Aclass Interfacesg of interfaces, called the 9-interfaces. 

- For each pair E, D € Interfacesg, a set AbsMaps,(E, D) of translations from E 
to D, called the set of 3-abstraction maps from E to D. 

- For each pair E, <F,-,, where / is a finite index set and E and each F, are 
elements of Interfacesg, a set DecMaps,,(E, E ) called the set of $-decomposition maps 
from E to FE. Each element of DecMapsg(E, E ) is a vector <5>,-,, where 6, is a translation 
from E to F,. 

- For each interface E € Interfaces,, a set Behaviorsg(E) of behaviors of 
interface E, called the set of 3-behaviors of interface E. 

In addition, 3 is required to have the following properties: 

(1) (Nondegeneracy) - For all %-interfaces E, the empty behavior @ is not in 
Behaviors,(E). 

(2) (Abstraction Closure) - For all 3-interfaces E, D, if a € AbsMaps,(£, D) and 
B € Behaviors,,(E), then a(8) € Behaviors,(D). 

(3) (Composition Closure) - For all $-interfaces E, Fey f8 € DecMaps,(E, 
F) and B = <B>, is such that B, € Behaviorsg(F,) for each i € /, then § (B ) € 


i 


Behaviorsg(E). & 


A rather simple example of a specification domain is the domain "CSP," where we 
define every interface to be a CSP-interface, every translation a to be a CSP-abstraction 
map, every finite vector § of translations with a common domain to be a 
CSP-decomposition map, and define the CSP-behaviors of interface E to be exactly 
those behaviors of interface E that are nonempty, asynchronous, and 
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truncation-closed.' We call this specification domain CSP because it is closely related 
to the "trace model" for CSP defined in [Hoare81b]. In that paper, process behaviors 
are modeled by nonempty, prefix-closed subsets of E*, where E is an alphabet of 
process events. To each nonempty, prefix-closed subset of E*, there naturally 
corresponds a nonempty, asynchronous, and truncation-closed behavior of interface E. 
Thus, for each of Hoare’s processes, there is a CSP-behavior that contains the same 
information. Hoare defines operations of parallel! composition, concealment, and 
alphabet transformation on processes. Under the natural correspondence described 
above, Hoare’s concealment and alphabet transformation operations are special cases 
of the CSP-abstraction operators defined here, and Hoare’s parallel composition 
operation is a special case of the CSP-composition operators defined here. Since no 
truncation-closed behavior can satisfy a specification with nontrivial eventuality 
properties, the specification domain CSP is not particularly useful for the analysis of 
such specifications. 


As a consequence of Theorem 5.1, Corollary 5.5, and Theorem 5.10, the 
1/O-interfaces, 1/C-behaviors, i/C-abstraction maps, and |/O-decomposition maps aiso 
define a specification domain, which we call "1/0." 


We can generalize the definition of |/O-consistency to an arbitrary specification 
domain 3. 


Definition - A specification S of 3-interface E is 3-consistent if B(S) N Behaviorsg(E) # 
0. 4 


We define relativized notions of interconnection, implementation, and correctness 
with respect to a specification domain 9% as follows: An interconnection J is a 
$-interconnection if the interfaces DS, EB), and FA for each i € / are 9-interfaces, the 
abstraction map aisa %-abstraction map from ES to D), and the decomposition map 6) 
is a 3-decomposition map from E) to E J. An implementation <3, S abs’ S>isa 
3-implementation if 3 is a 9-interconnection. We say that the 3-implementation 


1. If x is an observation and t € [0, 0), then the t-truncation of x is the observation x’ 
such that x ‘(t') = x(t‘) for all t' € [0, t), and x ‘(t’) = A for all t' € [f, 0). A behavior B is 
truncation-closed if whenever x € B and t € [0, 00), then the t-truncation of x is also in B. 
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<3, Sane SiS B-correct if a5(g 5)(B ) € A(S,,,)NB, € B(S) MBehaviorsg(F4) for each i € 
I 


Every $-implementation that is correct in the sense of Chapter 2 is also 9-correct, 
and thus the Correctness Theorem can be used to prove 3-correctness. However, in 
general there will be %-correct implementations that are not correct in the sense of 
Chapter 2. 


Lemma 6.1 - If a 3-implementation is correct, then it is $-correct. 


Proof - Suppose <j, S,.., <S>,- is a correct 3-implementation. For each / € /, let B, be 
an arbitrary 3-behavior of interface F) that satisfies S. Let B.. = aF0(§ JB ). Then 
since 3 is closed under abstraction and composition, it follows that B,,. is a 3-behavior 
of interface D’. By the assumption of correctness, B,,, satisfies S,.... Since the B, were 


arbitrary, it follows that <3, S,.., S > is 3-correct. & 


We next define the notion of an "evolutionary" specification domain. Intuitively, if 
an evoiutionary specification domain % contains a behavior B that models what a system 
S can do starting from time 0, and if we observe S produce a certain prefix of an 
observation over the interval [0, f), then 9 will also contain a "future" behavior B ', which 
models what S is capable of doing, starting from time t. Probably any reasonable 
specification domain will be evolutionary (as is the specification domain 1/O) although 
this property does not seem quite fundamental enough to be included as part of the 
definition of a specification domain. 


To define the evolutionary property precisely, we require some additional notation. 
If x and y are observations and a € [0, 0), then we write x =, y if x(t) = y(t) for allt € 
[O, a). If B is a behavior of interface E, x € Obs(E) is an observation, and t € [0, 00), then 
define the future of B with respect to x and t as follows: 

future, (B) = {suffix,y): y € B, y =, x}. 

intuitively, if a behavior B models what a system can do if we begin watching at time t = 
O, then future, (B) models what the system can do after we have already observed the 
initial segment of x on the interval [0, t). 
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Definition - A specification domain 9 is evolutionary if, whenever B is a 3-behavior of 
3-interface E, x € B, and t € [0, 00), then future, (B) is also a 3-behavior of 9-interface E. 
| 


For the remainder of this chapter, we assume that an evolutionary specification 
domain 3 (such as the domain CSP or |/O) has been fixed. 


6.2 Locally 3-Consistent Subset Specifications 


This section introduces the notion of a "locally 3-consistent" subset specification, 
and obtains some properties of such specifications that will be used in the proof of 
Theorem 6.4. Intuitively, local 3-consistency of a subset specification S means that 0(S) 
contains no isolated observations that cannot be realized in some 3-behavior satisfying 
S. 


Definition - A subset specification S of 3-interface E is locally 3-consistent if for all x € 
O(S) there exists a 3-behavior B of interface E such that x € B C O(S). 8 


Note that if S is locally $-consistent, and in addition 0(S) # @, then S is 3-consistent. 


Lemma 6.2 below states that if the component module specifications in a 
%3-implementation are locally 3-consistent, then the necessary and sufficient conditions 
for correctness provided by Lemma 3.1 for implementations involving subset 
specifications, are also necessary and sufficient for $-correctness. 


Lemma 6.2 - Suppose <3, S,.., <S)i¢P is a 5-implementation, where S,,. and each S, 
are subset specifications. Suppose that each S, is locally 3-consistent. Then <3, S,.., 
<S>i¢P is S-correct iff a0(8 4)(<O(S,)>;¢,) C O(S,.,)- 


Proof - => follows directly from Lemma 3.1 and Lemma 6.1, and actually does not 
_ require the assumption of local 3-consistency. To show <=, suppose <J, S,.., “Sic? is 
J-correct. It suffices to show that if x € Obs(E) is such that 6)(x) € 0(S,) for each i € /, 
then a(x) € O(S,,,). Because each 0(S) is assumed locally 9-consistent, given x € 
Obs(E) such that 55(x) € O(S,) for each i € J, then for each j € / there exists a 3-behavior 
B, of interface F) such that 84(x) € B,C O(S,). Thus a%(x) € B,,. = a79(5 4)(B ), which is 
a %-behavior because 3 is closed under abstraction and composition. By the 
assumption of %-correctness, it follows that Bans & O(S,.5): and hence a(x) € o(s abs)" | 
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The proof of Theorem 6.4 requires Lemma 6.3 below, which expresses a special 
property of locally 3-consistent subset specifications in an evolutionary specification 
domain %. 


Lemma 6.3 - Suppose that 3 is an evolutionary specification domain, and that S is a 
locally 3-consistent subset specification of 3-interface E. Then future, (O(S)) contains a 
%3-behavior of 3-interface E whenever x € 0(S) and t € [0, ©). 


Proof - The local 3-consistency of S means that, given x € O(S) there exists a 
%-behavior B of interface E such that x € B C O(S). Since 9 is evolutionary, it follows 
that future, (B) is a 3-behavior contained in future, (O(S)). § 


6.3 Well-Formedness Properties of Specifications 


This section defines three properties of state-transition specifications, which are 
used in the statement of Theorem 6.4. These properties are: regularity, 
quasi-determinacy, and orthogonality. The original motivation for these definitions was 
technical, in the sense that they were sufficient to permit the proof of Theorem 6.4 to go 
through. However, it was surprising to find that these properties could be thought of as 
well-formedness properties that should be satisfied by “good” state-transition 
specifications. In a regular state-transition specification, whether or not a computation 
is valid depends only upon the observation that is produced, and not upon the particular 
choice of states. In a quasi-determinate specification, the fact that the state-transition 
relation permits choices between states is inessential, since a choice of state made at 
time t can have no effect on the portion of the observation produced subsequent to time 
t. Orthogonality is related to the correct partitioning of “iocal" and “global” properties 
between the state-transition relation and the validity conditions of a specification. 


We first consider regularity. intuitively, the requirement of regularity amounts to 
the assumption that whether a computation is valid does not depend upon the states 
appearing in the computation, but rather only the observation produced. 


Definition - A state-transition specification S = <M, V> is regular if, for all computations 
X and Y of M, if Obs, = Obs,, thenX € ViffY€V. & 
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To motivate the somewhat technical definition of quasi-determinacy, it is 
convenient to first examine the stronger, but more simply defined notion of 
“determinacy.” 


Definition - A machine M is determinate if Init,, is a singleton set, and for all q € Q,, and 
alle € E,,, there is at most one r € Q,, such that <q, e, > € Trans,,. A state-transition 
specification S = <M, V> is determinate if M is determinate. & 


A determinate specification is automatically regular, since a determinate 
specification can have at most one computation that produces a given observation. The 
importance of the determinacy property is that each observation generated by a 
determinate machine is produced in exactly one computation of that machine. Thus, if 
S = <M, V> is a determinate specification, x € O(S), and X is a computation of M with 
Obs, = x, then it is automatically the case that X € V, since no other computation of M 
can produce the observation x. 


To show that the maximality condition holds for a correct implementation, it 
appears io be necessary to assume ihat some properly sinilar to Geierminacy ihoids for 
the abstract module specification. To see why, consider the following example: We are 
attempting to implement an abstract module whose function is to produce a finite 
number of occurrences of a single event e. (Think of a "black box" with a single light 
bulb on top, and let e be an event corresponding to a flash of the light bulb.) This 
module can be specified in two different ways: 


(Determinate): The state set of the specification consists of a single state *. The event 
e is enabled in state *, and obviously cannot produce any state change. The constraint 
that e should appear only finitely many times is captured by the validity condition. 


(indeterminate): The state set for the specification is the set of natural numbers. Every 
State is an initial state. The event e is enabled in state & iff k # 0, and the occurrence of 
e Causes the state to be decremented. Every computation is valid. In this specification, 
the requirement that e occurs only finitely often is captured by the indeterminate choice 
of initial state. 


Let S,., be the determinate specification and let Sing be the indeterminate specification. 
Clearly O(S,,,) = O(S,,,)- 
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Now consider an interconnection 3 = <a, 55>, where the abstract interface DS, the 
single component interface F , and the composite interface E) are all the same interface 
{A, e}, and the abstraction map a! and the decomposition map 8) are the identity 
translation. Clearly both of the implementations <3, Sy... Sig? and <3, Sig, Sg are 
correct. However, the maximality condition does not hold for the implementation 
<5, S; nd? Suet?’ To see this, note that any pair <k, *> is an initial state for the composite 
machine, and is hence reachable for that machine. Furthermore, the event e is always 
enabled for the component machine. For maximality to hold, it would have to be the 
case that e is enabled for the abstract machine no matter what the value of k is. But e is 
not enabled for the abstract machine if k = 0. 


In certain situations, for example the transmission line module specification in 
Appendix Il, the use of indeterminate specifications is quite natural. However, the 
preceding example shows that unless we are careful, it may not be possible to use the 
Correctness Theorem to prove the correctness of implementations when such a 
specification is used as the specification for the abstract module. 


The proof of the Completeness Theorem actually does not require that the 
abstract module specification S,.. be determinate, but rather the somewhat weaker 
assumption that Sp3 b€ regular and "quasi-determinate." Intuitively, the set of future 
observations that can be produced by a quasi-determinate machine is independent of 
the choice of states made on the initial segment {0, t]. 


To define quasi-determinacy precisely, we extend to histories the =, notation 
defined above for observations. If X and Y are histories, then we write X =, Y if Obs,(t) 
=, Obs,(t) and State,(t) = State,(t) for all t € [0, a) (and hence for all t € [0, a] by the 
properties of state functions). 


Definition - A machine M is quasi-determinate if for all computations X and Y for M, and 
all t € [0, °°), if Obs, =, Obs,, then there exists a computation Z of M such that Z =, X 
and Obs, = Obs,. A state-transition specification S = <M, V> is quasi-determinate if M 
is quasi-determinate. & 


If a state-transition specification is determinate, then it can also be seen to be 
quasi-determinate by choosing Z = Y in the above definition. Determinacy implies that 
State, can be defined in exactly one way on the interval [0, f], thus showing that X =, Z. 
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We next consider orthogonality. Intuitively, in an orthogonal specification, every 
computation agrees for an arbitrarily long time with a valid computation. Orthogonality 
is related to the correct partitioning of “local" and “globai" properties between the 
' gtate-transition relation and the validity conditions of a specification. Roughly, 
orthogonality means that the validity conditions contain no information that could have 
been expressed by strengthening the machine part of the specification. 


Definition - A state-transition specification S = <M, VW is orthogonal if for all 
computations X of M and all t € [0, 9), there exists Y € Vsuch that X =, Y. 


6.4 The Completeness Theorem 
We can now state and prove the Completeness Theorem. 


Theorem 6.4 (Completeness Theorem) - Let 3 be an evolutionary specification domain. 
Suppose that <3, S,.., <S>,¢P is a 3-implementation, where S,.. and S, for each i € / are 
state-transition specifications. Suppose that S,,. is regular and quasi-determinate, and 
that S, is orthogonal and locally 5-consistent for each / € /. If <I, Sa, <SPieP is 
%-correct then the maximality and validity conditions hold. 


i: 
Proof - Suppose that S,.. = <M..,, V,p.>, and that S, = <M,, V>, for eachi €/. Let M be 
the composite machine. Note that the assumption that each S; is locally 3-consistent 
together with the assumption of %-correctness implies, by Lemma 6.2, that 


a40(§ 4) (<O(S)>,<,) C OlS,,,)- 


(Validity): To see that the validity condition holds, suppose that X is a computation for M, 
such that X € V, for each i € /. Then 85(Obs,) € 0(S,) for each i € J. It therefore follows, 
by the previous paragraph, that a4(Obs,) € O(S,,). This means that there exists a 
computation X,,. of M,,., such that X,., € V,.. and Obs; = a4(Obs,). Since S,,,, is 
assumed regular, and Obs, (abs) = Obs, it follows that the computation X55) is also 


in V,n5: 2S required. 


(Maximality): To prove maximality, suppose q € Q,, is reachable, and that e € E,, is such 
that 55(e) is enabled for M, in state #(q), for each i € 1. We wish to show that a4(e) is 
enabled for M,,,, in state #,,.(q). 
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The proof is of necessity somewhat roundabout, since the assumption of 
$-correctness is the only information we have at our disposal concerning the 
relationship between the computations of M,,. and those of the M,. The idea is as 
follows: We first obtain a computation X of M that arrives at state q at time n, and such 
that no non-A events occur on the interval [n, 00). Let x = Obs,. For eachi € /, we can 
modify X to obtain a computation X, for M,, by letting the event 55(e) occur at time n. Of 
course, we do not yet know that we can modify X'S) in a similar way -- this is what we 
are trying to show. 


We next use the orthogonality assumption on the S, to obtain, for each/€/,a valid 
computation Y, that “looks like" X, on the initial segment [0,n+1). Each Y, produces an 
cbservation y,€ o(s)) that looks like 53(x) on the interval [0, n + 1). We do not know that 
there is a single observation y such that y, = 55(y) for all i € 1. However, we can use 
Lemma 6.3, plus the composition closure property of the specification domain 3 to 
obtain an observation z such that, for all i € /, 85(z) € O(S,) and 8(z) looks like y, on the 
interval [0, n + 1). 3-correctness implies that a(z) € 0(S,,,)- 


Since a%(z) € O(S,,,): we can obtain a computation Z,,. for M,,., such that Obs; 

Ss 

= a(z). Now, event a%(e) occurs at time n in Z,... If we knew that State, wal = 
a 


7 aps(9), then this would show that a(e) is enabled for M,,, in state 7 ans(7)- Although it 
need not be the case that State, (a) = m4,,(9), the quasi-determinacy of S,,, lets us 
replace the [0, n] segment of State, with the corresponding segment of State,(abs), 
with the result still a computation of M,,.. Since State,(abs\(n) = 7,,,(q), this will 
complete the proof. 


Formally, since q is reachable for M, by definition of reachability there exist 
Qo: Fy) + 1 I, © Qy, and ey, 6,,..., 6, , € E,,, such that QJ € Init,,, 9, = 9, and <q,, @,, 


G,44° € Trans,, for all k € {0, 1,...,n-1}. 


Let f: N—» Steps(E,,, Q,,) be defined by: 
fk) = <q,, 659,44 1fOSk <n 
= <q,,4,9,>, otherwise. 
Then f is a history skeleton and by Lemma 3.5 there is a unique history X such that f 
spans X. Let x = Obs,. It is easy to see that X is a computation of M. 
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Since 5%(e) is enabled for M, in state #(q), for each i € / we can choose r, € Qu, 
such that <2 (q), 54(e), me Trans,,. It follows that for each / € /, the history X;, where X, 
=X and 

Obs, (t) = 85(e), fort =n 
=A, for t € (n, 00) 
State, (1) = 1, fort € [n, 0) 
is a computation for M, Let x; = Obs, for each i € /. 


By the assumption that each S, is orthogonal, we can obtain computations Y, € V, 
such that Y, =,,,X, Lety, = Obs, . Then y, € O(S,) and y, =, , , x; 


n+ 


Since each S, is locally 3-consistent, and the the specification domain 3 is 
evolutionary, we can apply Lemma 6.3 to show that future, .,, (O(S)) contains a 


%-behavior B, of interface FS for each i € /. Let B = (6 J)1(B ). Then since the 
_ Specification domain 3 is closed under composition, it follows that B is a 3-behavior of 
interface E4. Since 3-behaviors are nonempty by the nondegeneracy property of 9, it 
follows that we can choose an element z‘ of B. Let z be the observation defined by the 
properties: 

z= ‘i x 

z(n) =e 

z(t) = A, fort € (n,n +1) 

suffix, , ,(z) =z’. 
Then by construction, 85(z) € O(S,) for each / € /. As shown in the first paragraph of the 
proof, it follows by 3-correctness that a(z) € O(S,..5)° 


Since a3(z) € O(S,,,), there exists a computation 2 aoe for M,., with ica Se = 
a(z). By construction, Obs, = a(z) =, a(x) = Obs,(abs). Since S... is 
quasi-determinate, there exists a computation Z,,,' such that Z...‘ =, X'S) and 
Obs, = Obs, Since Z,.,' =,, X'°*), we know that State, An) = 2,,,(q). Since 
a(e) occurs at time n in Z,.. ‘, it follows that a%(e) is enabled for Mans in state T aps(9)s as 
desired. 8 
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7. Conclusion 
7.1 Summary 


The important accomplishments of this thesis are the following: 

1. Formal Framework - A major accomplishment of this thesis is that it sets 
up a formal framework within which it is possible to formulate precisely a large number 
of interesting and important questions about specifications and correctness proofs, and 
to obtain rigorous answers to these questions. The framework includes the notions of 
interface, observation behavior, composition, and abstraction, as primitive. These 
primitive notions are used to give precise, language-independent definitions of the 
notions of implementation, correctness, and consistency. 

2. State-Transition Specifications - The thesis shows how module 
behaviors can be conveniently and naturally described in terms of a machine that 
generates an observation as it executes, plus some validity conditions on the 
computations of that machine. Specifications stated in such a form lend themselves to 
@ systematic method fer performing correctness proofs. 

3. Rely- and Guarantee-Conditions - The concept of rely- and 
guarantee-conditions is shown to be useful for organizing eventuality specifications and 
proofs of correctness involving such specifications. The use of rely- and 
guarantee-conditions seems to result in simple proofs based on the communication 
structure of a system, rather than in proofs based on the structure of computations. 

4. Consistency of Specifications - The |/O-behavior model provides an 
interesting and useful notion of consistency for eventuality specifications. The thesis 
obtains a technique for proving the !/O-consistency of state-transition specifications. 


The investigation of state-transition specification performed in this thesis has 
resulted in some practical insights that can be tentatively expressed in the form of the 
following procedure for refinement of an abstract module into a system of component 
modules: 

(1) Determine the interconnection of component modules that will be used to 
implement the abstract module. 

(2) Identify the implementation invariant and the rely-/quarantee-conditions 
required for the proof of correctness. 

(3) "Localize" the rely-/guarantee-conditions to each component module. 
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Introduce sufficient information into the Component module states to permit the 
localized conditions to be conveniently expressed. 

(4) Define the state-transition relations for each component module. 

(5) Check the completed component module specifications by proving their 
consistency. 

(6) Use the component module specifications to perform a complete proof of 
correctness for the implementation. 
The resource manager example in Appendix II illustrates the use of this procedure. 


It has unfortunately been possible in this thesis to investigate only a tiny fraction of 
the questions that could conceivably be formulated using the framework developed 
here. The remainder of this chapter lists a number of questions that have not been 
addressed, but should be. Hopefully the answers to these questions can provide further 
practical insights into the problem of design, and ultimately contribute to more useful 
and reliable distributed /concurrent systems. 


7.2 Ideas for Future Work 


The basic framework set up in this thesis can serve as a starting point for a number 
of interesting extensions. The discussion below is concerned with the following broad 
possibilities for investigation: 

(1) Specification Domains 

(2) Semantic Properties of State-Transition Specifications 
(3) Organizing Principles for Specifications and Proofs 
(4) Formal Specification and Proof 

(5) Non-State-Transition Specifications 


7.2.1 Specification Domains 


The concept of a specification domain appears to offer considerable possibilities 
for theoretical investigation. There are two broad directions for future investigation of 
specification domains. The first direction is concerned with developing the general 
theory of specification domains, and relating this theory to domain theory as used in 
programming language semantics. The second direction is to construct additional 
example specification domains that model systems with interesting properties. 
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Plausible steps toward a general theory of specification domains might include the 
following: 

(1) The definition of a specification domain should be generalized so that the 
particular structure of an observation is not specified. The assumption of the particular 
structure of translations between interfaces would also have to be removed. A 
reasonable approach might be to assume that the interfaces and translations comprise 
the objects and morphisms of a category. The relationship between interfaces and 
observations would take the form of a functor defined on the category of interfaces, 
which maps each interface E to the set Obs(E) of observations over E, and which maps 
each translation a: FE — F to a function on observations. 

(2) The notion of a behavior should be generalized so that a behavior 
determines, but is not identified with, a set of observations. This would permit behaviors 
such as the "futures processes” of [Rounds81] to be used, as well as correspondingly 
more general abstraction and composition operations. There still should be some 
constraints on the effect of abstraction and composition operations with respect to the 
set of observations determined by a behavior. It is not immediately obvious what those 
constraints should be. 

(3) An attempt should be made to try to identify the correct set of regularity 
assumptions for abstraction and composition operations. The results of Chapter 6 
required no such assumptions, however it seems reasonable that the classes of 
abstraction and decomposition maps ought to be closed under function composition 
and include the identity translations. The !/O-abstraction maps and |/O-decomposition 
maps certainly have these properties. 

(4) The specification domain |/O seems to provide motivation for a kind of 
duality between abstraction and decomposition, in the sense that abstraction and 
decomposition maps seem to have complementary preservation properties with respect 
to input and output. It would be very interesting if abstraction and decomposition maps 
could be unified, so that they are just dual instances of a single underlying notion of 
translation, or “interface morphism." One way this might be accomplished is by 
assuming the existence of a kind of conjugation operation on interfaces. Intuitively, the 
conjugate of a module interface would be the interface of the module's environment. 
The duality between abstraction and decomposition might then be captured by stating 
that a decomposition map is an abstraction map defined on conjugate interfaces. 
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To help motivate the correct general definitions, further specific examples of 
specification domains should be constructed and studied. Ideas for constructing 
further examples of specification domains might be as follows: 

(1) Different notions of observation might be used to construct a number of 
interesting specification domains. One example is to replace the assumption that 
observations contain only finitely many events in any finite interval with some less 
restrictive topological assumption, and to attempt to construct corresponding classes of 
behaviors. If the machine approach to defining behaviors is to be used, then there is the 
problem of how to define a machine that permits infinitely many events to occur in a 
finite interval. Examples of such "machines" already appear in the theory of dynamical 
systems. For example, if one is willing to assume that an observation is a continuous, 
differentiable function on [0, °%), then the correct notion of machine is that of a 
differential equation. 

(2) Different special assumptions on behaviors can be made to model systems 
with particular properties. For example, it would be interesting to find a class of 
behaviors that includes non-asynchronous behaviors, corresponding to sets of 
observations that are not necessarily closed under stretching of the time axis. These 
behaviors would model timing-dependent systems. If observations contain space 
coordinates, in addition to time coordinates, then it might be possible to construct a 
class of behaviors with the property that information doesn't travel "too quickly" from 
one place to another. This specification domain could be used to investigate the 
problem of what can be observed by one module about the operation of another in a 
distributed system. Another idea might be to try to characterize a class of “atomic” 
behaviors, like the atomic data types of [Weihl84]. The observations in these behaviors 
would have certain serializability properties. 

(3) An attempt should be made to deal correctly with simultaneity. It should be 
possible to do this within the specification domain framework as follows: Introduce 
additional structure on interfaces to model the intuitive idea that some events represent 
the simultaneous occurrence of more primitive events. For example, it might be 
assumed that the events in an interface form a complete lower semilattice with A at the 
bottom, and with the semilattice operation LJ representing the operation of 
“simultaneous occurrence." The main problem with this approach is how to introduce 
the notions of input and output so that an assignment of behaviors that is 
nondegenerate and closed under composition can be defined. 
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7.2.2 Semantic Properties of State-Transition Specifications 


in Chapter 6 three semantic properties of state-transition specifications were 
identified (determinacy, regularity, orthogonality) and it was suggested that these might 
be properties characteristic of "well-formed" specifications. The idea of finding 
semantic well-formedness properties of specifications also appears in [Jones81], where 
the notion of an “unbiased” specification is discussed. It is interesting and useful to try 
to identify such properties, since they can possibly serve as guidelines in the design 
process. An important extension to this thesis would be to try to examine more closely 
the properties identified in Chapter 6, to develop techniques for proving that 
specifications have these properties, and to try to develop additional well-formedness 
properties. 


7.2.3 Organizing Principles for Specifications and Proofs 


The development of organizing principles for specifications and proofs appears to 
be a promising area of investigation. The rely- and guarantee-condition approach to 
writing specifications and performing correctness proofs is an example of the kind of 
results one might try to obtain. The way to proceed in this area is to perform example 
specifications and correctness proofs, and then try to abstract from these examples 
something in the way of general methods that would be applicable to other examples. 
This is difficult, because the examples take a long time to do, and it is hard to abstract 
general methods from a few examples. 


Rely-/Guarantee-Conditions: 


Rely- and guarantee-conditions were used in this thesis in the statement of the 
validity condition portion of a specification only. This is in contrast to the work of other 
researchers, for example [Jones81], in which rely- and guarantee-conditions can be 
used for state-transition properties only. For the examples in this thesis it did not seem 
particularly helpful to use rely- and guarantee-conditions for the state-transition portion 
of a specification. One possible exception might be the synchronizer and synchronizer 
component module specifications, in which the use of rely- and guarantee-conditions in 
the state-transition part of the specification might obviate the need for an error state. 
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Determinate vs. Indeterminate Specifications: 


Both determinate and indeterminate specifications seem to be useful. From a 
_ Strictly theoretical standpoint, determinate specifications are more convenient to work 
with than indeterminate specifications. From a practical point of view, though, there are 
cases (such as the transmission line specification of Appendix Il) in which the use of 
indeterminate specifications is quite natural, and in which an equivalent determinate 
specification would have to be stated in a much more convoluted fashion. Perhaps a 
result could be proved which shows that determinate and indeterminate specifications 
are equivalent in expressive power, in the sense that every indeterminate specification 
could be stated equivalently as a determinate specification. Such a result would permit 
the theory of specification to deal only with the more convenient determinate 
specifications, while permitting indeterminate specifications to be used in examples 
where they seem natural. 


Parallel Specifications: 


In certain examples, though nui in ary of the ones considered in this thesis, it is 
convenient to describe the desired functioning of a module in terms of a collection of 
loosely interacting concurrent processes. This process structure is a logical one used 
for descriptive purposes only, and may or may not bear any relation to the structure of 
an implementation of the module. It would be nice to be able to write specifications that 
reflect such a logical decomposition. State-transition specifications as described in this 
thesis are an inherently sequential form of description, since they include only a single 
machine. Perhaps the state-transition technique could be extended by permitting 
specifications to include a collection of machines that execute in parallel, and whose 
state sets are mostly independent of each other. To perform correctness proofs with 
this kind of specification would require a modified version of the Correctness Theorem. 


Differential vs. Integral Form: 


There is a certain amount of flexibility in whether state-transition properties are 
expressed in “differential,” state-transition form, or in “integral,” invariant form. In 
general, given a statement of the invariant form, "for all reachable states qg, property 
P(q) holds," an equivalent expression in state-transition form can be obtained by a 
simple syntactic transformation analogous to differentiation, e.g. "Property P holds of 
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all initial states, and a state transition from q to r can occur only if P(q) implies P(r)." 
There is apparently no general method for "integration," that is, for obtaining equivalent 
statements in invariant form, given a statement in state-transition form. 


In this thesis, the policy was adopted that all local properties would be expressed 
in state-transition form, rather than in invariant form. One reason for this is that, in 
general, invariants for the composite machine for an implementation cannot be proved 
directly from invariants for the component machines. Rather, it is necessary to first 
"differentiate" the invariants for the components, to obtain corresponding 
preconditions for event occurrences, and then use these preconditions in an inductive 
proof of the desired invariant for the composite machine. In certain circumstances, 
though, it seems natural to express specifications in invariant, rather than 
state-transition form. For example, in the synchronizer module specification it is 
perhaps more natural to state explicitly that "at most one user process can be running 
at any instant," rather than the more indirect approach taken here, where we use the 
precondition “a run event can occur only if there are no users currently running.” 
Further investiaation into the relationshin between state-transition and invariant 
specifications seems needed. 


7.2.4 Formal Specification and Proof 


For the specification and proof techniques developed in this thesis to be useful for 
practical examples, the development of mechanical aids for manipulating specifications 
and assisting in correctness proofs is essential. Appendix | takes the first steps toward 
this goal by showing how all of the proof techniques developed in this thesis can be 
formalized within an appropriate temporal language. Further steps should be taken 
along the following lines: 

(1) A practical method should be devised for describing heterogeneous 
algebras and for associating with each description a reasonably powerful, sound 
deductive system for deducing properties of the described algebra. In spite of the large 
amount of work that has been done in this area (specification of abstract data types), a 
completely satisfactory method is still lacking. 

(2) Tools are needed for enumeration and checking of cases in inductive 
proofs of invariance. In the correctness proofs performed in this thesis, once the 
implementation invariant is devised, the proof that it is inductive is a tedious case 
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analysis that ought to be easily mechanizable. 

(3) Mechanical aids for checking proofs in temporal logic are needed. Such a 
proof checker would probably not be capable of performing complete proofs by itself, 
but rather would serve to fill in intermediate steps in a proof generated by a human 
verfier. 


7.2.5 Non-State-Transition Specifications 


It would be interesting to use the framework of definitions set up in Chapter 2 to 
investigate specification languages not based on the state-transition approach. One 
obvious example is to investigate specification languages based on some kind of 
generalized regular expression. Preliminary experience with this kind of specification 
seems to indicate that the regular expression approach seems to produce shorter 
specifications for trivial examples, but for more complex examples it is much more 
difficult to express the desired properties. Interesting questions are what sort of 
deductive system, if any, could be used to derive consequences from specifications 
stated in regular expression farm, and what form the Correctness Theorem would take 
for such specifications. 
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Appendix | - Formal Specification and Proof 


The purpose of this appendix is to outline the way in which the informal 
state-transition specification and proof techniques used in this thesis can be formalized, 
perhaps to permit mechanically-assisted specification and verification. The major new 
concepts introduced to permit this formalization are those of an “event/state algebra" 
and an "implementation algebra." An event/state algebra is a heterogeneous algebra 
that embeds the machine part of a state-transition specification. An “implementation 
algebra” is a special kind of event/state algebra, which embeds the composite machine 
for an implementation, and which contains among its operations the abstraction and 
decomposition map for the implementation. 


The utility of event/state algebras and implementation algebras derives from the 
fact that associated with each event/state algebra A (and hence each implementation 
algebra as well) is a temporal logic language 9(A), within which can be expressed 
properties of the computations of the embedded machine. Each of the proof techniques 
presented in this thesis has the property ‘that its hypotheses can be formalized in terms 
of the validity of verification conditions, which are sentences expressed in the temporal 
language of an appropriate event/state algebra. The problem of formalizing proofs that 
use the techniques of this thesis is thereby reduced to the following two problems: 

(1) Find a convenient method for describing event/state algebras. 

(2) Find a general method whereby the description of an event/state algebra A 
can be used to obtain a formal deductive system for deriving a large number of true 
statements about A, where these statements are expressed in the temporai language 


SA). 


In this appendix, the following tasks are accomplished: 

(1) The notions of event/state algebra and implementation algebra are 
defined. | 

(2) Precise semantics are given for the temporal language (A) associated with 
an event/state algebra A. 

(3) An approach, based on set theory, for describing event/state algebras is 
sketched. It is indicated how, from the description of an event/state algebra A, an 
A-sound deductive system for the language 3{A) might be obtained. 

(4) It is show how the various proof techniques presented in this thesis can be 
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formalized in the language (A) for an appropriate A. 
1.3 Event/State Algebras 


Definition - An event/state algebra A is a heterogeneous algebra whose signature is of 
the form: <Events,, States,, Init,, Trans,, A ar 2, Where A, is a distinguished constant 
of sort Events, so that <Events,, ,> is an interface, and <Events,, States, Init,, Trans,> 
is a machine, which we call the embedded machine and which we denote by Mach,. & 


When there is only one event/state algebra under consideration, we will omit the 
identifying subscripts. The ellipsis in the signature of A indicates that A is permitted to 
contain additional sorts, relations, and functions besides those explicitly listed. The 
reason for permitting A to contain these additional sorts, relations, and functions, is to 
provide a mechanism by which the temporal language 3{A) can be made as expressive 
as desired. 


We now define precisely the syntax and semantics of the temporal language (A) 
uf an event/state algebra A. Let Z, be ine signature of A. The signature &, is required 
to contain distinguished sorts Events and States. In addition, we assume that 
corresponding to each sort of Z, is a countably infinite collection of variables which we 
use to range over values of that sort. The language 3(A) contains syntactic categories 
of "terms," "atomic formulas," and "formulas," which are defined by induction as 
follows: 


Terms: 

(1) The distinguished symbols Now and After are terms of sort States. 

(2) The distinguished symbol Occurs is a term of sort Events. 

(3) !f vis a variable of sort S, then v is a term of sort S. 

(4) Ift,,.., ¢, are terms of sorts S,, +. .5,, respectively, and f is an n-ary 
function symbol of type S, X ... XS, > S, then f(t, ... ¢,) is aterm of sort S. 


Atomic Formulas: If t,, ... , t, are terms of sorts S,,--.S,, respectively, and R is an n-ary 
relation symbol of type S, x... X S,, then R(t, ... t,) is an atomic formula. 


Formulas: 
(1) An atomic formula is a formula. 
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(2) If » and ¥ are formulas, and v is a variable of sort S, then 9, @ v ¥, and 
(AvES)— are formulas. 

(3) If p is a formula, then Og is a formula. 
The sets of terms, atomic formulas, and formulas of S{A) are the least sets with the 


properties listed. 


The first-order language L(A) is the sublanguage of J{A) obtained by omitting 
formation rules (1) and (2) under "Terms," and formation rule (3) under "Formulas." 
We treat the additional logical connectives A, —, «+, V as abbreviations in the usual 
way. In addition, the temporal operator © is regarded as an abbreviation for ~"O-. 


We use the notation t(v, ... v.) to denote a term t whose variables are a subset of 
the set {v,,...,v,}, and the notation g(v, ... v,) to denote a formula whose free variables 
are a subset of {v,, .,V,}. The notations t(t,/v, .. ¢,/v,) and o(t,/v, ... t,/v,,) denote 
the result of substituting the terms t,, ... , t, for free occurrences of the variables v,, ... , 
v,, int and 9, respectively. 


Next, we define the semantics of SIA). If S is a symbol (sort name, functinn symbol, 
or relation symbol) in the signature of A, then we use S, to represent the denotation (set, 
function, or relation) assigned by A to the symbol S. Define an interpretation for a 
sequence v,, ..., v, Of variables of sorts S,, ...,S,, respectively, to be a sequence a,,..., 
a, of elements of A, where each a, is of sort S,. The semantics of 9(A) are defined in two 
parts. First, given an intepretation Ayes a, for the free variables Var ee Va term 
t(v, .... v,) Of sort S denotes a function t{a,/v, aay a/v] from Steps(Events,, States,) to 
S,, whose value on the step s = <q, e, P is defined as follows: 

(1) If t is Now, then ¢t[a,/v, ... a,/v,](s) = q. 
If t is After, then t[a,/v, ... a,/v,)(s) = r. 
(2) Ift is Occurs, then t[a,/v, ... a,/v,](s) = e. 
(3) If tis the variable v,, then t{a,/v, ... a,/v,](s) = a,. 
(4) If tis f(t, ...t,), then t[a,/v, ... a,/v ](s) = f,(b, ...b,), 
where b, = t,[a,/v, ... @,/v,](s) for each k. 


The second part of the definition of the semantics of 9(A) is concerned with when a 
formula gv, ... v,) iS satisfied by a history X € Hist(Events,, States,), and an 
intepretation a for Vives Vie We abbreviate this as X F, la,/v, ‘ae a/v, or, 
when the algebra A is clear from the context, as simply X  g[a,/v, ... a,/v,]. 
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Atomic Formulas: If » is the atomic formula R(t, ... t,,), where the free variables of each 
t, are in the set {v,, ..., v,}, then X = 9fa,/v, ... a,/v,] iff <b,, ..,b,> € R,, where b, = 
t.[a,/v,.. a,/v,](Step,(0)) for each k. 


Formulas: lf g is a formula, but not an atomic formula, then 

(1) If pis 7y, ¥ v x, or (AVES)y, then satisfaction for g is defined by induction 
in the usual way. 

(2) If p is Oy, then X & gfa,/v, ... a,/v,] iff suffix(X) = pla,/v, ... a,/v,] for 
all t € [0, 00). 


Suppose that pv, ... v,) is a formula of 9{A) and that ¥ is a set of formulas of G{A), 
the free variables of which are a subset of {v,, see vt We say that » is a consequence 
of ¥ in A, written Y F, 9, if whenever a,, ... , a, is an interpretation for the variables v,, 

1 V,, and X € Hist(Events,, States,) is such that X = y[a,/v, ... a,/v,] for all ¥ in ¥, 
then X = 9[a,/v, ... a,/v,] as well. The formula ¢ is said to be valid in A, abbreviated 
=, 9, if p is a consequence in A of the null set of formulas. A sentence of 3A) is a 
formula of 3(A) that has no free variables. If @ is a sentence and ¥ is a formula, then it is 
easily verified that p F, y iff, p — ¥. 


The following result makes explicit the relationship between the preceding 
definitions and the usual semantics of first/order logic. 


Lemma 1.1 - Suppose that P(V, --. V,) is a formula of S(A), containing no occurrences of 

©. Suppose that A is an event/state algebra, that X € Hist(Events,, States,), and that 

a , 4, is an interpretation for the variables v,, ... , v,. Suppose X(0) = <q, e, >. Then 
X =, pfa,/v,... a,/v,] 


pe 


iff 
=, pla,/v, ... a,/v,,q/Now, e/Occurs, r/After], 
where the latter is defined in the usual sense of first-order logic. 


Proof - Straightforward. 8 


We recall here the definitions, given in Chapter 4, of the sentence Comp of 9(A). 
Comp = Init(Now) A OTrans(Now, Occurs, After) 
intuitively, X k= Comp iff X is a computation for the embedded machine Mach, 
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We conclude this section with the following definition: Suppose that A is an 
event/state algebra, and Valid is a sentence of 9{A). Then the state-transition 
specification defined by the pair <A, Valid> is the state transition specification S = 
<M, V>, where M = Mach,, and V = {X € Hist(Events,, States,): X = Comp A Valid}. 


1.4 Description of Event/State Algebras 


In this section, we consider the problem of describing event/state algebras in such 
a way that a sound deductive system for 3(A) can be obtained from a description of the 
event/state algebra A. It should be noted that this problem has already received a good 
deal of attention in the research literature under the heading of “Specification of 
Abstract Data Types." In spite of the effort that has been expended on this problem, 
there still does not seem to be an available description method that is convenient for the 
purposes of this thesis. Hopefully this situation will be rectified in the near future. 


The description technique we use here can be summarized as follows: We assume 
fixed in advance a standard "primitive" or "core" algebra with a sufficiently expressive 
first-order theory. Let C be the core algebra, and let T be its complete first-order theory, 
expressed in the language £(C). An event/state algebra is described by writing a 
collection of first-order axioms U in an extension 2 of L(C), that define an extension by 
definition of T. Such a collection of axioms defines a unique extension of the core 
algebra C to a model A of T U U. 


We wish to obtain an A-sound deductive system for the language L(A) (= L). 
Since we wish our description method to be powerful enough to describe algebras such 
as <N, 0, 1, +, °>, which cannot be completely axiomatized, it seems unreasonable to 
expect the core theory 7 to be axiomatizable. If we fix in advance a deductive system 
that axiomatizes a usefully large fragment of 7, though, then by augmenting this 
deductive system with the defining axioms U, we can hopefully obtain an axiomatization 
of a usefully large fragment of the complete first-order theory of A. In this thesis, we 
assume as the core theory some suitable variant of the theory of sets. Set theory is 
highly expressive, and this makes it easy to describe desired event/state algebras. 
However, if machine-assisted verification is a goal, then set theory might not be the most 
appropriate: it seems quite possible that some less expressive core theory would be 
more amenable to mechanization. 


Stat 
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We next consider the problem of deduction in 3{A). Given an event/state algebra 
description, which, as discussed above, we regard as denoting an extension by 
definition of an underlying set theory, we wish to be able to deduce a large class of 
- A-valid formulas of 3{A). Suppose we could somehow transform an arbitrary sentence » 
of 5(A) into a sentence gp‘ of £(A) such that F, 9 <> » ‘. In other words, suppose that 
we could axiomatize the temporal operator 0 and special symbols Now, Occurs, and 
After, in terms of the set theoretic notions of £. Then the problem of showing FE, 9, 
where » € 9({A), would be reduced to the problem of showing that T F ¢’, where p‘ € 
L(A) is the transformed version of p. 


It seems likely that the reduction described the preceding paragraph can actually 
be carried out, since the idea seems essentially the same as that used in the proofs 
[Harel78] of the "arithmetic completeness" of deductive systems for dynamic logics. 
Assuming that this idea works for the temporal logics S{A), this would give us a way of 
deducing ail valid formulas of 3{A), assuming we have available the complete theory of 
some model of set theory. Although we can never obtain a complete axiomatization of 
set theory, it seems likely that any of the tsual collections of axioms for set theary would 
provide us with a deductive system for 3{A) that is powerful enough to be useful in 
practice. 


In practice, to write down explicitly the collection of defining axioms that describe 
an event/state algebra A is cumbersome. It is convenient to introduce some notation 
for common constructions. We do this with the understanding that descriptions 
expressed in this notation stand for collections of first-order defining axioms. In 
general, the description of an event/state algebra can be divided into two parts: one, 
the definition of new sorts, and two, the definition of new function and relation symbols. 


We define new sorts by a set of defining equations that define the new sorts in 

terms of more primitive components. These equations take the form: 
S = &(S,,..,S8,), 

where S is the new sort being defined, S,, ... , S, are the names of previously-defined 
sorts, and & is an expression within which various set-theoretic constructions can 
appear. These defining equations are analogous to the domain equations used in the 
denotational definition of the semantics of a programming language [Gordon79]; 
however, to ensure that a set of equations can be regarded as denoting a colletion of 
defining axioms, we do not permit here the use of recursive equations. The 
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set-theoretic constructions (cartesian product, disjoint union, etc.) that appear on the 
right-hand sides of the defining equations introduce implicitly various "built-in" 
functions and relations (projection, injection, etc.). The constructions we use, and their 
associated built-in functions and relations are listed below. 


Once the equations that define the new sorts have been given, we can use these 
sorts and their built-in function and relations to define additional functions and 
relations, in particular the initial state and state-transition relations for the embedded 
machine. These additional functions and relations are defined by writing defining 
axioms in the usual way. 


1.4.1 Set-Theoretic Constructions Used in Defining Equations 


1. (Enumeration) - The expression {a,, ... , a,} denotes the n-element set 
whose elements are the constants a,, ... , a, 

2. (Disjoint Union) - If A and B are sets, then the expression [t,: A + t,: 8] 
denotes the disjoint union D of the sets A and B. The tags t, and t, are used to denote 
the injection operations associated with the disjoint union. That is, if a € A and b € B, 
then t,:a denotes the image of a, and t,:b the image of b, in D. 

3. (Cartesian Product) - The expression [t,: A X t,: B] denotes the cartesian 
product C of the sets A and B. Associated with an element c of C are its projections c(t,) 
and c(t,) onto the sets A and B, respectively. Given a € A and b € B, then the expression 
<t,: a, tg: b> denotes the ordered pair with components a and b. Ifc € C anda € A, then © 
the notation c[a/t al denotes the element c ’ of C which is identical to c except that its ¢, 
component has the value a. To reduce Clutter in expressions, tags will be omitted from 
both the disjoint union and cartesian product constructions when this is unlikely to 
cause confusion as to the intended meaning. 

4. (Function Space) - If A and B are sets, then the notation [A — 8] denotes 
the set of all functions with domain A and range 8. We use the usual notation f(a) for the 
application of f to the argument a, and the notation f[b/a] for the function that is 
identical to f except that it has value b for argument a. 

5. (Finite Powerset) - The notation Set[A] denotes the set of all finite subsets 
of the set A. If s € Set[A] and a € A, then the expression a€s is true iff a is an element of 
the set s. The expression |s| denotes the cardinality of the set s. We also use the usual 
operations U, N, and ~ on Set[A]. The notation MSet[A] denotes the set of all finite 
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multisets of elements of A. We use the same notation for operations on multisets as for 
sets, however, the meaning appropriate for multisets is assumed in this case. 

6. (Finite Sequences) - The notation Seq[A] denotes the set of all finite 
- sequences (i.e. strings) of elements of A. If u, v € Seaq[A], then Ju] denotes the length of 
u, uv and uev denote the concatenation of u and v, and if n € Nat, then u(n) denotes the 
n+ 1st element of u. 


1.4.2 Definition of the State-Transition Relation 


Manipulation of the state-transition relation is sometimes more convenient if its 
defining axioms are factored into a collection of pairs, each of which consists of a 
precondition, and a next-state predicate. The precondition defines the class of events 
to which the pair applies, and defines conditions on the current state that must be 
satisfied before an event in that class can occur. The next-state predicate determines 
the relation that must hold between the current state and the new state that results from 
an occurrence of such an event. 


Although the basic idea of precondition/next-state predicate pairs is fairly simple, 
some subtleties arise in actual use, especially associated with the interpretation of free 
variables common to the two predicates. This problem is similar to that which arises in 
the interpretation of free variables in the pre- and post-conditions used to specify 
sequential programs. We must therefore be somewhat more careful about the precise 
form and meaning of the pairs. A pair takes the form: <Pre(q, e, x ), Next(q, r, x )>, where 
e is a variable of sort Events, q and r are variables of sort States, and x is a vector of free 
variables of sorts § , where S$ can be chosen arbitrarily for each pair. A finite collection 
<Pre,, Next,>, ... , <Pre,, Next>, where the kth pair contains free variables x , of sorts 
$ ,, determines the defining axiom for the state transition relation Trans according to the 
following definition: . 

Trans(q, e, fr) = Vy _ (3x ,€8 ,)(Pre,(q, @, x ,) A Next,(q, x ,)), 
where Pre,(q, ©, x ) = e = ) and Next,(q, 7, xX .) = © = q. What the above definition 
says is that a step <q, e, > satisfies the state transition relation Trans iff there exists a 
pair <Pre,, Next,> (0 < k <n), and an interpretation of the free variables of that pair, 
such that the precondition and next state predicate hoid for that pair. 


-144- 


A useful convention we will follow, which simplifies the maximality part of 
correctness proofs, is to define the preconditions Pre(q, e, x ) and next state predicate 
Next(q, r, x ) in each pair so that they satisfy the following relationship: 

= (Vq€States, e€Events, x €S )(Pre(q, e, x ) + (3r€States)Next(q, r, x )). 
That is, whenever the precondition is satisfied by a state gq, an event e, and an 
interpretation x for the free variables, then there must be a new state r such that g, r and 
x satisfy the next state predicate. 


1.4.3 Parameterized Descriptions 


Quite often one wishes to write parameterized descriptions of event/state 
algebras, where the parameters may be values, as in the case of the synchronizer 
component module, where the number of initial tokens is given as a parameter, or 
perhaps sets or some other kind of object. In this thesis, we view a parameterized 
event/state algebra description as a schema for the construction of a family of related 
descriptions. This way of treating parameters is satisfactory as long as there is no need 
to perform reasoning about parameters with infinitary structure. A more general 
treatement of parameters requires extensions to the event/state algebra formalism, and 
is outside the scope of this thesis. 


/ 


1.5 Implementation Algebras 


We have previously discussed the notion of an event/state algebra, which is a 
formal structure that embeds the machine part of a state-transition specification. The 
purpose of an event/state algebra is to provide semantics for the associated temporal 
language. The temporal language, in turn, serves as a vehicle for the formal statement 
of properties of histories, among which are the validity conditions for a specification. 
Augmented with a sound deductive system, the temporal language can also serve to 
express derivations of consequences of a specification. 


Just as we can use the temporal language associated with a specification to 
express and derive consequences of that specification, we would like to associate with 
an implementation a language suitable for the expression and derivation of the 
conditions required for the correctness of that implementation. However, taken 
separately, none of the temporal languages associated with any of the modules involved 
in an implementation suffices for this purpose. To solve this problem, we define below 
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the notion of an "implementation algebra," which is a kind of "composite" event/state 
algebra whose associated temporal language is powerful enough to permit the 
expression of correctness conditions. 


Let us say that an algebra A embeds an algebra B if there exists a signature 
morphism! t from the signature of B to the signature of A such that, for each sort S 
(resp. function symbol f, relation symbol! A) of B, the interpretation of S (resp. f, R) in B is 
the same as the interpretation of «(S) (resp. «(f), «(R)) in A. If A embeds B, then since we 
might as well think of B as a subalgebra of A, we will omit mention of the signature 
morphism « when no confusion can arise. 


Suppose A,,, is an event/state algebra (corresponding to an abstract module to 
be implemented), and let A = <A,, .. , A,> be a finite-length vector of event/state 
algebras (corresponding to the component modules). 


Definition - An implementation algebra for A,,, and A is an event state algebra A with 
the following properties: 

(1) A embeds Aaps ad each A, wilh i <i. For each suri or operaiion S of 
Aas (resp. A,), we write SS (resp. S') for the corresponding sort or operation of A. 

(2) A contains distinguished functions 


a: Events > Events®>s 

8: Events — Events!, for1 <i<n 
Tans: ‘States + States*®s 

7; States — States’, for 1 <i <n, 


such that: 3, = <a, § > is an interconnection, called the embedded interconnection, 
Mach, is the composite machine for J,, Mach he and <Mach Aint} and 1,,, and the m, 
are the canonical projections from the cartesian product States to the factors States®s 
and States’, respectively. § 


1. A function, mapping each sort, function symbol, and relation symbol of the signature 
of B to a corresponding sort, function, symbol, or relation symbol of the signature of A, 
that preserves relevant structure such as the -arity of the symbols. 
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Since an implementation algebra is a particular kind of event/state algebra, it has 
an associated temporal language. Furthermore, the temporal language 9(A) associated 
with an implementation algebra A contains the temporal languages (ae and each 
3{A;) as sublanguages. This property is what makes an implementation algebra useful 
for expressing correctness conditions. 


The description of an implementation algebra is performed in the same way as for 
ordinary event/state algebras. The meanings of many the symbols are fixed by the 
definition of an implementation algebra, and in practice it is convenient to omit their 
defining axioms. For example, the definition of the sort States is fixed by the 
requirement that it be the cartesian product of the sorts States": 

States = [1,,.: States*®® x w,: States’ x... X a: States”. 
Other examples of symbols whose meanings are fixed by the definition of an 
implementation algebra are the initial state relation Init, and state-transition relation 
Trans for the composite machine. Definitions must always be explicitly given for the sort 
Events, the abstraction map a and the components 6, of the decomposition map. 


1.6 Proof Techniques 
1.6.1 Formal Correctness Theorem 


In this section we reduce the problem of proving the correctness of an 
implementation to the problem of showing the validity of a set of verification conditions, 
which are expressed in the temporal language associated with the implementation 
algebra. There are three verification Conditions in the technique introduced here. The 
"invariance" verification condition expresses that the predicate Inv is an 
implementation invariant. The "maximality" verification is a straightforward 
formalization of the the maximality condition required by the Correctness Theorem, 
except that the phrase "q is reachable for the composite machine" is replaced by 
"Inv(q) holds." The “validity” verification condition is the formalization of the validity 
condition required by the Correctness Theorem. 


Recall that the validity condition required by the Correctness Theorem states that, 
if X is a computation for the composite machine that projects, under the canonical 
projections associated with the composite machine, to a valid computation for each 
component machine, then X projects to a valid computation for the abstract machine as 
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well. This condition cannot be formalized directly as a sentence in the temporal 
language of the implementation algebra, since that language has no constructs for 
dealing directly with histories and functions on histories. However, the language does 
- contain the function symbols a, <6>;¢, map: and <w7>.-,, which denote the abstraction 


map, Components of the decomposition map, and canonical projections on the state 
set, respectively. 


To formalize the validity verification condition, we need some way of taking the 
sentences that express the conditions required for a computation of the abstract 
machine or a component machine to be valid, and "lifting" these sentences to 
sentences that express the corresponding properties on computations of the composite 
machine. In Chapter 4 we defined a syntactic translation that accomplished this lifting 
in the case of the synchronizer implementation. We now define this translation in 
general, and state a lemma that summarizes its useful properties. 


Suppose that A is an implementation algebra for A,,. and <A>,<,. Given a formula 
ge of HA,,.), define [e],,, to be the formula of S{A) obtained by replacing each 
occurrence of the symbol Now by the term T ang(NOw), each occurrence of After by the 
term 7,,.(After), and each occurrence of Occurs by the term a(Occurs). Similarly, for 
each j € J, given a formula @ of 5{A), define [fp]; be the formula of 3(A) obtained by 
replacing each occurrence of Now by 7 (Now), each occurrence of After by a (After), 
and each occurrence of Occurs by 5(Occurs). 


The precise relationship between a formula and its translation is captured by 
Lemma |.2 below. An analogous result is stated in [Wolper82], where process of 
"lifting" specifications of processes to obtain specifications of a system of processes is 
called "relativization.” 


Lemma 1.2 (Translation Lemma) - Suppose that A is an implementation algebra for A,, . 
and <A),-,, Suppose that 9(v, ... v,,) is a formula of (A,,..) (resp. 3{A,), for some i € /), 
that a, ... , 4, iS an interpretation of the variables v,, ... , v,,, and that X is a history over 
Events, and States,. Then 

X F, Deansl2g/Mo «= Ban/ Mn) iff XOOPS) be ae Pl ag/Vp +++ 2g / Ven 
(resp. X F, fp] [ag/Vo -- @/V_) iff XO -, P[Ag/Vo +++ Bp / Vogl) 


Proof - Straightforward induction on formulas, based on the precise syntax and 
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semantics of S{A) given above. § 


In the sequel, to make formulas in the language J{A) of an implementation algebra 
_ Aeasier to read, we will often abbreviate the application of the functions T abs! and 7, to 
a variable or constant by simply affixing an appropriate subscript to that variable or 


constant. Thus, if q is a variable of sort States, then q.,_ and q, abbreviate M abs(9) and 


,(q), respectively. 


abs 


We can now give a formalized version of the Correctness Theorem. Roughly 
speaking, this result says that to prove the correctness of an implementation defined by 
an implementation algebra A, it suffices to perform the following three steps: 

(1) Determine the implementation invariant Inv(q) expressed in the first-order 
language L(A) and containing the single free variable q of sort States. Show the validity 
of two sentences of L(A), which assert that /nv is inductive. 

(2) Show the validity of a sentence of L(A) which implies that the maximality 
condition holds. This sentence is obtained by formalizing the maximality condition of 
the Correctness Theorem in the obvious way. 

(3) Show the validity of a sentence of S{A) that asserts that the validity 
condition holds. This sentence is formed from the sentences that describe the sets of 
valid computations for the abstract and component machines, through the use of the 
translation operation discussed above. 


Lemma 1.2 (Formal Correctness Theorem) - Suppose that A is an implementation 
algebra for A,,, and <A>... Suppose that Valid... 8 a sentence of aA abs)! and for each 
i, Valid, is a sentence of S{A,). Let S,p, be the state-transition specification defined by 
the pair <A,,,, Valid, .>, and for each i, let S, be the state-transition specification defined 
by the pair <A,, Valid>. Suppose that Inv(q) is a formula of L(A), with one free variable q 
of sort States, such that the verification conditions below hold. Then <3,, S,.., S > is 
correct. 


(Invariance): 

(Basis) = (Vq€States)(Init(q) + Inv(q)) 

(Induction) = (Vq,r€States, e€Events)(Trans(q, e, r) > (Inv(q) — Inv(r))) 
(Maximality): 

= (Vq€States, e€Events)((Inv(q) A A,¢, Enabled (q, e)) -> Enabled, .(q, @)). 
(Validity): 
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Comp & (Aj¢, {Valid J,) > [Valid Dane 

where 
Enabled,,.(q,¢) = (3r€States)Trans*°*(q,,., a(0), F.n6) 
Enabled(q,¢) = (3r€States)Trans‘(q,, 8(e), r). 


Proof - The basis part of the invariance verification condition states that Inv is true for 
all initial states, and the induction part of the invariance verification condition states that 
Inv is preserved under state transitions, and hence the truth of these two conditions 
implies that Inv is inductive. 


From the definition of the predicates Enabled, and Enabled, we know that 
Enablied,..(@. e) is true of a state q and event ée iff a(e) is enabled for Mach ree in state 
Gaps’ 2d similarly, Enabled (q, e) is true iff 5,(e) is enabled for Mach A, in state gq, The 
maximality verification condition therefore says that whenever q is a state such that 
Inv(q) holds, and 5(e) is enabled for Mach A in state q, for each ij with 1 <i <n, then a(e) 
is enabled for Mach vn in state Gans This implies the maximality condition required by 
the Correctness Theorem. 


By the Translation Lemma, we know that [Valid abel abs (S Satisfied by a computation 
X of Mach, iff Valid,,, is satisfied by the computation X‘>*) of Mach Ate Similarly, for 
each j we know that [Valid,]; is satisfied by a computation X of Mach, iff Valid, is satisfied 
by the computation X of Mach A’ Since a history X satisfies Comp iff X is a computation 
of Mach,, we see that the validity verification condition is the formal statement of the 
validity condition required by the Correctness Theorem. 


Since the truth of the verification conditions above implies that the hypotheses of 
the Correctness Theorem are satisfied, an application of the Correctness Theorem 
shows the correctness of the implementation <3,,S...,3>. § 


1.7 Rely-/Guarantee-Condition Proof Techniques 


In this section we give the formalized versions of the rely-/guarantee-condition 
proof techniques stated in Chapter 3. The first result formalizes Lemma 3.11. 


Corollary 1.4 (Formal Rely/Guarantee Technique 1!) - Suppose that A is an 
implementation algebra for A, and <A>,,,, Suppose that Valid... = Rely, - Guar,,. 
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is a sentence of HA 4s) and that Valid, = Rely, + Guar, for each i € / is a sentence of 
3{A,). Suppose that 
(1) Comp  (A,,, [Guar,],) + [Guar,, 4. and 
(2) There exists a well-founded partial order < on / such that for alli € /, 
Comp & [Rely clans 4 (Aj<; [Guar],) > [Rely]. 
Then Comp F (A,¢, [Valid,];) > [Valid,. Dans 


Proof - Straightforward from Lemma 3.11. 8 


The next result formalizes Lemma 3.12. 


Corollary 1.5 (Formal Rely/Guarantee Technique Il) - Suppose that A is an 
implementation algebra for A aba 2d <A_,. Suppose that Valid, = Rely. > Guar... 
is a sentence of SA, 5) and that Valid, = Rely, -- Guar, for each i € / is a sentence of 
3{A,). Suppose that for each i, j € / U {abs}, we have determined a sentence RG, , of 
3(A), such that properties (1)-(3) below hold. 
(1)(a) Comp = [Rely clans > Ne RG... j 
(b) Comp F A, RG, ws > [Guar,, Jabs 
(2)(a) Comp = RGae A Aiers {abs} RG,, > [Rely], for allj€/ 
(b) Comp [Guar]; > RG, aps A A /€l-+ {abs} 7 ; for alli €/ 
(3) (Acyclicity) - bestia {<i,11.>1 Cig 1,>, + Sis i, >} iS acycle of /, then 
Comp F V2" _RG 


k ar Idea 
Then Comp - (Avie; [Valid.],) =? [Valid Jape’ 


Proof - Straightforward from Lemma 3.12. 8 
1.8 1/O-Consistency Proof Technique 


The result below formalizes the technique for proving |/O-consistency expressed 
by Corollary 5.8. 


Corollary 1.6 - Suppose that S is the state-transition specification of |/O-interface E 
defined by the pair <A, Valid>, where the sets of inputs and outputs of E are defined by 
the unary relations /n and Out of type Events in A. Suppose that the event/state algebra 
A includes among its operations the finite collection of relations <Prod>,.,, where Prod, 
is of type States X Events X States. If the following sentences of 5{A) are valid, then S is 
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3,-consistent. 
(1) = Aj, (Wq,r€States, e€ Events)(Prod{(q, e, r) -» Trans(q, e, r)) 
(2)  (Vq€States, e€Events)(in(e) — (3r€States)Trans(q, e, r)) 
(3) F (Vq,r€States, e€Events)(Trans(q, e, r) A (Out(e) v e = A) > 
Vie, Prod{q, e, r)) 
(4) Comp & (A,¢, Fair,) Valid, 
where 
Fair, = O¢€Enabled{Now) ~ D0Prod(Now, Occurs, After). 
Enabled (q) = (3r€States, e€ Events) Prod,(q, @, 1) 


Proof - Straightforward from Corollary 5.8. Hypothesis (1) says that the Prod, are 
subsets of Trans. Hypotheses (2) states that Mach, is input-cooperative. Hypothesis (3) 
states that the Prod, cover the set of nonnull output or A-steps in Trans. Hypothesis (4) 
formalizes the requirement that every fair computation of Mach, is valid. & 
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Appendix I! - Additional Examples 


In this appendix the specification and' verification techniques introduced in the 
thesis will be further illustrated through two additional examples. The first example 
concerns the specification and implementation of a resource manager module whose 
function is to allocate resources in response to requests from user processes. The 
resource manager is implemented in a highly distributed fashion by a tree-structured 
system of local resource manager modules that communicate with each other to 
determine where resources should be sent. In the second example, a reliable message 
transmission service is specified, and an implementation by an unreliable message 
transmission substrate is given. Reliability is achieved through the use of a 
fault-tolerant protocol: the alternating bit protocol! [Bartlett69]. The alternating bit 
protocol example has been examined by several other researchers [Chen8&2, 
Hailpern80, Lamport83, Schwartz81], and has become somewhat of a standard for 
evaluating specification and verification techniques for concurrent systems. 


The major purpose of the additional examples given here is to lend support to the 
following assertion: Essentially the same techniques as were used to obtain 
specifications and a correctness proof for the synchronizer implementation, can be 
applied in a reasonably systematic way to achieve similar results on other nontrivial 
examples. Thus, the ideas of state-transition specification, rely- and 
guarantee-conditions, and the proof technique embodied in the Correctness Theorem, 
are not ad hoc concepts useful for a single example, but serve as generally applicable 
guiding principles. 


A second point illustrated by the examples of this chapter is that more elegant 
specifications can result if one first imagines the structure of a proof of correctness in 
which the specifications will be used, and then derives the module specifications in an 
attempt to satisfy the requirements imposed by the proof structure. The difference 
between specifications obtained via this approach and those resulting from the “specify 
first, prove later" approach can be seen by comparing the validity conditions given here 
for the send and receive protocol modules with the liveness properties given by Lamport 
[Lamport83] for these modules. The specifications and proof given below are to a large 
extent independent of the precise assumptions on the behavior of the unreliable 
transmission medium. Lamport’s presentation does not make this independence quite 
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so explicit. 


The observation that a proof of correctness can be used to derive component 
module specifications suggests the following genera! method for designing a correct 
implementation of a given abstract module: 

(1) Decide on the communication structure of the system of component 
modules (e.g. tree or ring structure). 

(2) For each pair of component modules that can possibly communicate, 
express informally the properties that each relies on/quarantees to the other to provide. 
These rely- and guarantee-conditions will serve to “cut” the interdependence of the 
component modules in a fashion similar to the way in which a loop invariant cuts the 
dependence of one iteration on preceding and succeeding iterations. 

(3) Select event and state sets for the component modules in such a way that 
the temporal language of the resulting implementation algebra is powerful enough to 
formally express the informally stated rely- and guarantee-conditions. 

(4) “Localize” the rely- and guarantee-conditions so that they are expressed in 
the temnoral language of each component module event/state alaehra. The rely- and 
guarantee-conditions of a resulting component module specification will be the 
conjunction of the localized rely- and guarantee-conditions, respectively. 


The examples in this appendix will be presented using the notation of Appendix I. 
11.9 A Distributed Resource Management Algorithm 


In this section, we consider the specification and implementation of a resource 
manager module RM, whose function is to allocate resources to a set of clients in 
response to requests from those clients. We will see how the resource manager can be 
implemented by a tree-structured network of local resource manager (LRM) modules, 
each of which communicates with a single client. Initially each local resource manager 
Starts out with some subset of the resources. As client requests arrive and are filled at a 
particular site, though, the locally available set of resources might be exhausted. An 
LRM that is deficient in resources must then attempt to obtain additional resources from 
other sites. The interesting part of the implementation is concerned with how the local 
resource managers communicate with each other to determine where the resources 
should be sent. The strategy by which this is accomplished is essentially the 
“™DYNAMIC-MATCH"” strategy of [Fischer83], although this stategy is explained here in a 
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slightly different and hopefully simpler way than in that paper. 


The resource manager example is presented here as a nontrivial exercise in the 
use of rely-/guarantee-conditions and an associated correctness argument as a basis 
for the derivation of specifications for the local resource manager modules. The use of 
rely-/guarantee-conditions as a guiding principle permits us to derive, in a reasonably 
systematic fashion, essentially the same specification for the local resource manager 
module as the node algorithm presented in [Fischer83]. The primary difference 
between the specification derived here and the algorithm of [Fischer83] is that we are 
not concerned here with the way in which an LRM resolves choices as to the pattern in 
which excess requests are forwarded to its neighbors. In [Fischer83], it is assumed that 
choices are resolved according to a specific probability distribution, and a large portion 
of the paper is concerned with probabilistic analysis of the consequences of this 
assumption. Here we concern ourselves only with showing that every request from a 
client is eventually satisfied, if possible. The argument provided in [Fischer83] of this 
basic correctness property is more of a proof sketch than a proof, and is somewhat 
unsatisfactory for this reason. 


11.9.1 Specification of the Resource Manager Module 


The function of the resource manager module RM can be described as follows: Let 
Clients be a set that contains the names of the clients with which the resource manager 
communicates, and let Resources be a set that contains the names of the resources to 
be managed. A client c requests a resource from the resource manager by issuing a 
request event request:c. The resource manager allocates a resource r to client c by 
issuing a reply event reply:<c, >. In this example, a resource that has been allocated to 
a client is never returned to the resource manager. 


The state of the resource manager can be thought of as consisting of a pair 
<pending, free>, where pending is a multiset of clients that represents the collection of 
unfilled requests and free is the set of available resources. The pending component is a 
multiset since we permit more than one request from a single client to be outstanding at 
one time. Receipt of a request from client c by the resource manager causes an 
instance of c to be added to the pending multiset. The event reply:<c, D can occur only 
if the client c is in the pending multiset and the resource r is in the free set. Occurrence 
of this event causes an instance of c to be removed from the pending set and the 
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resource r to be removed from the free set. It is clear from this description that no 
resource is allocated more than once and no more than one resource is allocated in 
response to each request. In addition, we would like the resource manager to respond 
eventually to every request, as long as the set of free resources has not been exhausted. 


To derive a more precise specification from the preceding informal description, we 
begin by defining the resource manager event/state algebra. Our description has the 
following as parameters: 

Clients: a finite set of clients 
Resources: a finite set of resources 
The interface of the resource manager is defined as follows: 
Events™ = {} + [request: Clients + reply: (Clients x Resources)]. 
in®™ = {A} + [request: Clients] 
Out®“ —s = _{)} + [reply: (Clients x Resources)] 
The state set for the resource manager is defined by: 
States" = [free: Set[Resources] X pending: MSet[Clients]]. 


In an initial state, the multiset of pending requests is empty, and all resources are 
free. 
Init®™(q) = q(tree) = Resources A q(pending) = @. 


The state-transition relation Trans®™ is defined by precondition/next-state 
predicate pairs as follows: 


A request event for client c can occur at any time, and causes c to be added to the 
pending set. 
(request) Pre, squest(% @, C) =e = requestic 

Next, guest(s / ¢) =r = q{(q(pending)U{c})/pending] 


A reply event with resource res for client c can occur only if res is in the free set and c is 
in the pending multiset. It causes res to be removed from the free set and an instance of 
c to be removed from the pending multiset. 


(reply) Pre, ooiy(@ @, C, res) =e = reply:<c, res> Ac € q(pending) A 
res € q(free) 
Next, .04(4) 1% ¢, res) =r = q[(q(pending)-{c})/pending, 


(q(free)-{res})/free] 
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The validity conditions for the resource manager module can be stated in 

rely-/guarantee-condition form as follows: Valid®"™ = Rely®™ + Guar®™, where 

Rely®™ = O(jNow(free)| > |Now(pending)}) 

Guar®™ = O(Vvc€Clients)(c € Now(pending) 

©(3r€Resources)(Occurs = reply:<c, P)). 

Thus, if the number of outstanding requests never exceeds the number of available 
resources, then the resource manager module guarantees that every request will 
eventually receive a reply. 


11.9.2 Implementation of the Resource Manager 


Our plan is to implement the resource manager module by a tree-structured 
network of local resource manager modules as depicted in Figure 3. Each local 
resource manager is responsible for filling requests originating from a single client. If 
the set of resources locally available is exhausted, the the LRM must try to obtain 
additional resources from elsewhere in the system. If an LRM has a surplus of 
resources, then it must be willing to give out resources to other LRM’s whose resources 


have already been allocated. 


To guide us in our derivation of the components that will be needed as part of an 

LRM state, let us first obtain a rough statement of the validity conditions that an LRM is 
to satisfy. We organize these conditions into properties the LRM relies on its 
environment to provide, and properties that an LRM guarantees to its environment in 
return. An LRM relies on: 

(1) No special properties on the part of the client. 

(2) The eventual elimination of resource debts owed to the LRM by its parent. 

(3) The eventual elimination of resource debts owed to the LRM by each of its 
children. 
In return for these properties, an LRM guarantees that: 

(1) Every client request eventually receives a reply. 

(2) Resource debts owed by the LRM to its parent will eventually be eliminated. 

(8) Resource debts owed by the LRM to each of its children will eventually be 
eliminated. 
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Fig. 3. Resource Manager Implementation 


Resource Manager Module 


To obtain formal statements of the preceding conditions, we must first obtain a 
precise definition of the notion of an LRM having a “resource debt” to one of its 
neighbors, and we must describe the mechanics of how such debts are incurred and 
eliminated. The introduction of the various components of the LRM state below can be 
viewed as providing us with enough expressive power in the language 9{A‘™) of the 
LRM event/state algebra, to permit the formalization of the undefined quantities in the 
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above statement of the LRM validity conditions. 


A significant feature of the validity conditions stated above is the complementary 
form of the rely- and guarantee-conditions. The conditions above have been selected in 
such a way that ultimately, in the resource manager implementation, the conditions 
relied upon by an LRM i from its neighboring LRM / will be precisely the conditions that 
LRM j guarantees to provide to LRM i. This symmetric statement of the validity 
conditions will be seen below to result in a rather simple and pleasant proof of 
correctness. 


With the above validity conditions in mind, we now attempt to identify the various 
events of the LRM interface and the components of the LRM state. We can identify 
immediately several kinds of events that must be in the interface of the LRM. 
Communication with the client requires the existence of a request event request, which 
represents the receipt of a request from the client, and a reply event of the form reply:r, 
in which resource r is allocated to the client in response to a prior request. 
Furthermore, the interface of an LRM must contain events corresponding to the transfer 
of resources between an LRM and its neighbors in the system. Let Resources be the set 
of names of all the resources that the LRM might be called upon to handle. For each r € 
Resources, the LRM interface includes the event parent_in:r, which represents the 
receipt of resource r from an LRM's parent in the tree, and parent_out:r, which 
represents the delivery of resource r by an LRM to its parent. Let Children be a set of 
names used to index the children of the LRM. For each c € Children and r € Resources 
the interface of the LRM includes the event child_out:<c, m, which represents the 
transfer of resource r from the LRM to child c, and the event child_in:<c, M, which 
represents the receipt of resource r by the LRM from child c. 


To describe the conditions under which transmission of resources between LRM’s 
and between a client and an LRM is permitted, we include in the state of each LRM a set 
free, which represents the resources locally available at the LRM, and a nonnegative 
integer pending, which counts the number of unfilled requests that originated at the 
client associated with the LRM. A request event causes pending to be incremented. A 
reply:r event can occur only if pending is nonzero and r € free, and causes pending to 
be decremented and r to be removed from free. The resource transmission events 
parent_in:r and child_in:r cause r to be added to the set free. The events parent_out:r 
and child_out:<c, m can occur only if r € free, and cause r to be removed from free. 
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We have thus settled the issue of how and when requests and replies are 
transmitted betweeen an LRM and its client, and how resources are shuttled between 
LRM’s. However, we have not yet determined how and when an LRM should request 
- resources from one of its neighbors, or when an LRM should issue resources to a 
neighboring LRM. To describe the conditions governing the transmission of resources 
between LRM’s, we introduce a few more components into the state of an LRM. The 
state of each LRM contains a component p_balance, and a component c_balance:c for 
each child c. The component p_balance represents the instantaneous “balance of 
payments" between the LRM and its parent, and c_balance:c represents a similar 
balance of payments between the LRM and child c. A positive balance represents a 
number of resources owed to the LRM by its neighbor, and a negative balance 
represents a number of resources owed by the LRM to its neighbor. These balances will 
be maintained so that the following relation is invariant: If p is an LRM with child c, then 
the c_balance:c component of the state of LRM p is always the negative of the 
p_balance component of the state of LRM c. This reflects the idea that resources owed 
by p to c can be viewed as a debit from the point of view of p, or as a credit from the 
point of view of c. These balances will be updated appropriately as requests are 
forwarded, and as resources travel between LRM’s in payment of debts. An LRM will 
transmit resources to its neighbor in an attempt to reduce its indebtedness. 


To represent the forwarding of requests between LRM’s we introduce the 
following additional kinds of events into the LRM interface: A forward_in event 
represents the receipt by the LRM of a forwarded request from its parent. Similarly, a 
forward_out:c event corresponds to the forwarding of a request by the LRM to child c. 
The event reject_out represents the forwarding of a request by the LRM to its parent, 
and the event reject_in:c represents the receipt of a forwarded request by the LRM from 
child c. We use the terminology reject for the forwarding of requests upward in the tree 
to emphasize the asymmetry inherent in the parent/child relationship. 


in determining the conditions under which forwarding and rejection events should 
be permitted to occur, we must attempt to avoid the following two bad situations: (1) 
We must avoid the deadlock situation in which two LRM’s are stubbornly requesting 
resources from each other, while each of their resource requirements could be fulfilled 
by resources from elsewhere in the system. (2) We must avoid the "livelock” situation 
in which a request is continually shuttled back and forth in the system without ever 
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reaching an LRM with available resources. Our proposal for resolving these difficulties 
is to have each LRM keep estimates of the number of surplus resources available in the 
subtree headed by each of its children. These estimates are to be optimistic in the 
sense that the estimate held by an LRM for child c is at all times an upper bound on the 
number of surplus resources actually available in the subtree headed by c. Situation (1) 
is avoided by having an LRM request resources from its parent only in the case that it 
has no resources locally available and there are no surplus resources left in any of the 
subtrees headed by its children. Situation (2) is avoided by requiring that an LRM only 
send a request to a child c if it estimates that there is a surplus of resources in the 
subtree headed by c. The effect of these two requirements is to ensure that the 
following invariant holds: If an LRM p owes resources to its child LRM c, then the 
number of resources owed by p to c is a lower bound on the instantaneous amount by 
which pending requests exceed available resources in the subtree headed by c. Thus p 
never Owes more resources to c than are actually required by c’s subtree. 


The balances of payments between an LRM and each of its neighbors can be 
combined with the number of pending requests and locally available resources to 
produce a quantity PBalance, which represents the projected net number of resources 
(positive = surplus, negative = deficit) that would be left at the LRM after all debts are 
paid. The quantity PBalance, defined formally below, is informally the number of free 
resources, plus the net number of resources owed to the LRM by its neighbors, minus 
the number of pending requests. The forwarding and rejection of requests by an LRM 
to its neighbors is done with the goal of "getting in the black;" that is, reducing the 
projected deficit. 


The remaining components we need as part of the LRM state are the following: 
For each child c, the state of an LRM contains a component c_estim(c) which is an 
integer that represents the optimistic estimate made by the LRM, of the projected 
number of resources that would be available in the subtree headed by child c, once all 
debts have been paid. If c is an LRM whose parent is p, then the state of c also contains 
a component p_estim, which is a local copy of the c_estim(c) component of the state of 
LRM p. Thus, not only does an LRM keep estimates of the projected number of 
resources remaining in the subtrees headed by each of its children, but it also keeps 
track of what its parent must currently estimate as the projected number of resources 
remaining in the subtree headed by the LRM. We permit p_estim and c_estim(c) to take 
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on arbitrary integer values, although it can be shown that if an LRM is used only in a 
system of other LRM’s in the way we envision, then p_estim and c_estim(c) are 
invariantly nonnegative. 


The important points of the preceding discussion of the LRM events and states 
can be summarized as follows: 

(1) The LRM interface contains events corresponding to requests from and 
replies to the client, transferring of resources from/to its neighbors, and forwarding and 
rejection of requests. 

(2) An LRM state contains a set free of locally available resources and a count 
pending of outstanding requests from the client, to ensure that every request receives a 
response and that no resource is allocated more than once. 

(8) An LRM state contains a record of its "balance of payments" with each of 
its neighbors. Transfer of resources and requests between LRM’s is performed to 
reduce indebtedness. If p and c are neighboring LRM's, then the balance kept by p for 
c is the negative of the balance kept by c for p. 

_ (4) An LRM state contains an estimate of the projected net number of 
resources that would remain, once all debts have been paid, in the subtrees headed by 
each of its children. This information is used to control the forwarding and rejection of 
requests. If p is the parent of c, then c maintains a local copy of p’s estimate of the 
projected number of resources remaining in the subtree headed by c. 


1.9.3 Local Resource Manager Specification 


From the informal discussion of the preceding section, we can derive a precise 
local resource manager specification. In the informal discussion above, we made no 
distinction between the root LRM and the other LRM's in the system. Although similar in 
many respects, the precise specifications of these two kinds of LRM’s will be slightly 
different since a root LRM has no parent. To avoid redundancy, the specifications of 
the two kinds of LRM will be presented simultaneously, with differences pointed out 
along the way. 


The parameters of the LRM are the following: 
Children: a finite set of children 
Resources: a finite set of resources 
IResources: the subset of Resources heid initially by the LRM 
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{estim,:¢ € Children}: _ initial estimates of the number 
of resources in the subtrees headed by 
each of the children. 


The set Children is a set of names used to identify the children of the LRM. The set 
Resources is a set of names for all of the resources that the LRM might have to deal 
with. This set includes the names of all resources initially held by the LRM, as well as all 
resources that might be transmitted to the LRM at some later instant by its neighbors. 
The set IResources is a subset of Resources that represents the set of resources initially 
available at the LRM. For each c € Children, the parameter estim, is a nonnegative 
number which the LRM uses as its initial estimate of the projected number of resources 
remaining in the subtree headed by child c. Since there will be no debts in an initial 
state, correct use of an LRM requires that each estim, equal the actual number of 
resources initially available in the subtree headed by child c. 


The interface of a node LRM is defined as follows: 
EventsNtRM = {)} + [CEvent + SEvent] 
InNtt#m = {A} + [ClEvent + SiEvent] 
OutNRLM = {A} + [COEvent + SOEvent], 
where 
CEvent = ClEvent + COEvent 
SEvent = SlEvent + SOEvent 
and 
ClEvent = {request} 
COEvent = [reply: Resource] 


SiEvent = [reject_in: Children + 
forward_in + 
parent_in: Resource + 
chiid_in: [Children xX Resource]] 


SOEvent = [reject_out: + 
forward_out: Children + 
parent_out: Resource + 
child_out: [Children x Resource]] 
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The events listed above have the following intuitive meanings: Client events are 
those in which the LRM communicates with the client, whereas system events are those 
in which the LRM communicates with other LRM’s. The client events are classified into 
request events, in which a request is received from the client, and reply events, in which 
a resource is sent to the client in response to a prior request. The system events are 
classified into: forwarding events (forward_out, forward_in), in which a request is 
forwarded from’an LRM to one of its children; rejection events (reject_out, reject_in), in 
which a request is rejected from an LRM to its parent; and resource transfer events 
(parent_out, parent_in, child_out, child_in), in which a resource is transferred from an 
LRM to one of its neighbors. The "_in" and "_out" suffixes denote the direction in 
which resources or requests flow; thus, forward_out:c is the event in which a request is 
forwarded from an LRM to child c, whereas forward_in is the event in which a forwarded 
request is received by an LRM from its parent. 


The interface Events®“®™ of a root LRM is obtained by omitting the forward_in, 
parent_out, reject_out, and parent_in events. 


The state set for both a node and a root LRM is defined as follows: 
States'®™ = [free: Set[Resource], 

pending: Nat, 

p_balance: Int, 

c_balance: [Children — Int], 

p_estim: int, 

c_estim: [Children — Int]]. 
The set free is the set of resources currently available at the LRM. The number pending 
is a counter that records the number of outstanding requests. The quantity p_balance 
records the net number of resources that the LRM either is promised by its parent, or 
promises to send to its parent. If p_balance > O, then the LRM is promised resources by 
its parent; if p_balance < 0, then the LRM promises to send resources to its parent. The 
mapping c_balance records similar information for each of the children. The mapping 
c_estim records the estimate of the projected number of remaining resources in the 
subtree headed by each child. The quantity p_estim is the LRM’s local copy of its 
parent’s estimate for the subtree headed by the LRM, as discussed above. 
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The initial state relation for the LRM is defined below. Recall that we view a finite 
multiset over a given universe as a function that assigns a finite multiplicity to each 
element of the universe. Lambda-notation has been used below as a shorthand for 
denoting particular multisets. 


Init*®*“(q) = q = <free: IResources, 
pending: 0, 
p_balance: 0, 
c_balance: (Ac€Children)(0) 
p_estim: l!Resources| + 2 ¢cpigren CStim,, 
c_estim: (Ac €Children)(estim,)> 


Thus, in the initial state, all resources in [Resources are free, no requests are pending, 
no resources are promised by/promised to any of the neighbors, and the estimated 
surplus of resources in the subtree headed by the LRM is the sum of the number of free 
resources initially at the LRM, plus the sum of all the initial estimates for the subtrees 
headed by each of the children of the LRM. . 


We can now give the formal definition of the quantity PBalance discussed above. 
PBalance(q) = |q(free)| - q(pending) + q(p_balance) + 
x €Chitdren 7(C_balance)(c). 
As discussed above, given a state q, PBalance(q) represents the net number of 
resources (positive = surplus, negative = deficit) that would be left at the LRM after all 
debts are paid. 


The state-transition relation Trans%“?™ for a node LRM is defined as follows: 
An incoming request from a client gets recorded as pending. 


(request) Pre, equest(?: e) =e = request 
Next aueat(7> r) =r = q{[(q(pending) + 1)/pending]} 


A resource res can be sent to the client if there is at least one pending request, and res 
is in the set of free resources. The resource res is removed from the set of free 
resources, and the number of pending requests is decremented. 


(reply) Pre, ..4(9; @ Fes) =e = reply:res A res € q(free) A 


q(pending) > 0 


reply 
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Next. (q,r,res) =r = q{(q(free)-{res})/free, 


(q(pending)-1)/pending] 


reply 


Receipt of a forwarded request from the parent means that the LRM promises to send 
one more resource to the parent, and consequently, that the LRM estimates a surplus of 
one fewer in its own subtree. 


(forward_in) Presoeward_in(9> e) =e = forward_in 
Next, ward_in(9> =r = q[(q(p_balance)-1)/p_balance, 
(q(p_estim)-1)/p_estim] 


A request can be forwarded to child c only if the LRM currently is "in the red" and 
estimates a surplus of resources in the subtree headed by child c. As a result of 
forwarding the request, the number of resources promised by child c is incremented, 
and the estimated number of resources in the subtree headed by c must be 
decremented. 


(forward_out) Pre, pward_out(?» e,c) =e = forward_out:c A 
PBalance(q) < 0 A q(c_estim)(c) > 0 
Next, ward_out(7» r,c) =r = q[(q(c_balance)(c) + 1)/c_balance(c), 
(q(c_estim)(c)-1)/c_estim(c)] 


Receipt of a rejected request from child c means that child c promises to send one 
fewer resource (or requires one more resource) than it did before, and thus the quantity 
c_balance(c) must be decremented. In addition, the fact that a request has been 
rejected by c means that the resources in the subtree headed by c have been 
exhausted, and thus c_estim(c) should be set to zero. 


(reject_in) Pre, eiect_in(7» e,c) =e = reject_in:c 
Next eiect inl rc) =r = q[(q(c_balance)(c)-1)/c_balance(c), 
0/c_estim(c)] 


A request can be rejected to the parent only if the LRM is "in the red" and there is no 
projected surplus in any of the subtrees headed by children of the LRM. By rejecting a 
request, the LRM promises one fewer resource to its parent, and hence reduces its 
projected deficit. In addition, p_estim must be zeroed to maintain the invariant equality 
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between p_estim and the corresponding c_estim component of the parent LRM. 


e) =e = reject_out A PBalance(q) <OA 
(vc €Children)(q(c_estim)(c) < 0) 
=r = q[(q(p_balance) + 1)/p_balance, 0/p_estim] 


(reject_out) Pre... ect_out(7? 


Next ict out: N 


The various resource transfer events occur when an LRM owes a debt and has an 
available resource. Their effect is to cance! out some of the debt. 


(q, @, res) =e = parent_in:res 
r,res) =r = q{(q(free)U{res})/free, 
(q(p_balance)-1)/p_balance] 


(parent_in) Pre are fice 


Next sent in( ; 


(parent_out) Pre... ent out(4 @: feS) =e = parent_out:res) A res € q(free) 
A q(p_balance) <0 
Next srentout( r, res) =r = q[(q(free)-{res})/free, 


(q(p_balance) + 1)/p_balance] 


(child_in) Pre cig in(@> @, c, res) =e = Child_in:<c, res> 
Nextonig in(Q: fC, res) =r = q[(q(free)U{res})/free, 
(q(c_balance)(c)—1)/c_balance(c)] 


(child_out) — Pregrig out(Gs & Cs 7eS) =e = Child_out:<c, res> A 
res € q(free) A q(c_balance)(c) < 0 
Next onig_out(> / © es) =r = q[(q(free)-{res})/free, 


(q(c_balance)(c) + 1)/c_balance(c)]} 


The definition of the state-transition relation Trans®“®™ for a root LRM is obtained 
by deleting the pairs above for the forward_in, parent_out, and parent_in events, and 
replacing the pair for reject_out events by the following pair for A-events: 


(A) Pre,(q,e) =e = A PBalance(q) <OA 
(Vc€Children)(q(c_estim)(c) < 0) 
Next, (q,) =r = q[(q(p_balance) + 1)/p_balance, 0/p_estim] 


The A-transitions permitted by this pair are necessary for the consistency of the root 
LRM specification: if the reject_out pair were simply deleted as were the forward_in, 


- 167 - 


parent_out, and parent_in pairs, then there would be no way for a root LRM to change 
the value of p_balance and the rely-condition Rely_external"“®™ defined below would be 


vacuous. 


To complete the specification of the local resource manager, it remains to define 
the validity conditions. As outlined in the informal discussion above, the validity 
conditions for the node and root LRM’s can be expressed in rely-/guarantee-condition 
form as follows: 

ValidNtRM = RelyNtRM _, GuarNtRM 
ValidPURM = Rely®LRM _, GuarRLRM, 


As was done in the informal discussion, it is convenient to factor the rely- and 
guarantee-conditions into what the LRM relies on each of its neighbors and the external 
environment to provide, and what the LRM guarantees in turn to each of its neighbors 
and the external environment. 


The rely- and guarantee-conditions for the node LRM are defined by 
RelyNURM = Rely_narentNtRM 4 (ve€Children)Rely_childt®M(c) 
GuarNtRM = Guar_client®™ ~ Guar_parentNt®™ , 

(Wc €Children)Guar_chitd'?™(c), 
The rely- and qguarantee-conditions for the root LRM are defined by 
Rely®tRM = Rely_external®“"™ (vc €Children)Rely_child'"™(c) 
Guar®tRM = Guar_client®™ ~ (vc€Children)Guar_child'®™(c). 


A node LRM relies on the eventual payment of debts owed to the LRM by its 
parent. 
Rely_parent™t®™ = 2(O0(Now(p_balance) > 0) > 
©(3r€Resources)(Occurs = parent_in:r)) 


Although a root LRM has no parent, the intuitive significance of a positive value for 
p_balance in the case of a root LRM is that the total number of requests in the entire tree 
exceeds the total number of available resources. Since we cannot expect a system of 
LRM’s to eventually satisfy all requests under such circumstances, a root LRM relies on 
the external environment to ensure that p_ba/ance is invariantly nonpositive. 

Rely_external?“® = G(Now(p_balance) < 0) 
Both kinds of LRM rely on each of their children to eventually eliminate debts owed to 
the LRM, either by the transmission of resources, or by the rejection of requests. 
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Rely_child'®™(c) = D(D(Now(c_balance)(c) > 0) > 
©((ar€Resources)(Occurs = child_in:<c, r>) v 
(Occurs = reject_in:c))) 


A node or root LRM guarantees to its client that pending requests will eventually 
receive a reply. 
Guar_client“®™ = O(Now(pending) > 0 -> 
©(3ar€Resource)(Occurs = reply:r)) 
A node LRM guarantees eventually to eliminate debts owed to its parent, either by 
actual transmission of resources, or by rejecting requests. 
Guar_parentN?™ = [(O(Now(p_balance) < 0) > 
©((ar€Resources)(Occurs = parent_out:r) v 
(Occurs = reject_out))) 
Both kinds of LRM guarantee eventually to pay debts owed to their children. 
Guar_child'®™(c) = O(C)(Now(c_balance)(c) < 0) > 
©(3r€Resources)(Occurs = child_out:<c, >)) 


In devising the validity conditions for the local resource manager module, it was 
necessary to choose between two possible forms in which to state the rely- and 
guarantee-conditions. Since we are often faced with, such choices in practice, it is 
useful to examine the motivation for the particular choice made here. As an example, 
consider the definition of Guar_parentN-®™, which was stated above in the form 
(1) Guar_parentNtR™ = 7(O(Now(p_balance) < 0) > 

©((ar€Resources)(Occurs = parent_out:r) v 
(Occurs = reject_out))) 
This guarantee-condition states that either.a parent_out or a reject_out will occur if 
there is the condition p_balance < 0 holds persistently (i.e. forever after some point). 
We might also have chosen the apparently stronger alternative form 
(2) Guar_parentNtRM = 2(Now(p_balance) < 0 > 
©((ar€Resources)(Occurs = parent_out:r) v 
(Occurs = reject_out))). 
which requires the occurence of a parent_out or reject_out event in the case that the 
condition p_balance < OQ occurs at a single instant. In fact, we claim these two 
sentences are equivalent in the context of the LRM specification. More precisely, we 
claim Comp! ?™ f= (1) <> (2). Clearly (2) implies (1) by temporal reasoning alone. To see 
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that Comp!®™ j= —(2) implies (1), suppose Comp"® and -(2). Then 
(*) ©(Now/(p_balance) < 0 A O((vVr€Resources)(Occurs # parent_out:r) A 
(Occurs # reject_out))). 
_ That is, eventually there is a point at which p_balance < 0 holds, but after which no 
parent_out or reject_out events ever occur. Inspection of the state-transition relation for 
the LRM shows that the only events that can cause p_balance to be increased are 
parent_out and reject_out events. This means that, if no parent_out or reject_out events 
occur, then p_balance < 0, once established, holds forever. Applying this result to (*) 
shows that 
(**) ©(O(Now(p_balance) < 0) A 
O((¥r€Resources)(Occurs # parent_out:r) A 
(Occurs # reject_out))). 
But (**) is precisely the negation of (1) above, and thus (1) and (2) are equivalent. 


In this example, where form (1) and form (2) are equivalent, we chose form (1) over 
form (2) because form (1) is more convenient for the proof of correctness. Once we 
have decided on form (1) for the guarantee condition Guar_parontNtRM, we must use the 


same form for the complementary rely-condition Rely_child'?™(c). Similar arguments 
apply to Guar_child“®™(c) and Rely_parentNtRM, 


11.9.4 The Resource Manager Implementation Algebra 


In this section we define the resource manager implementation algebra AP™', Let 
the following be given as parameters: 


Clients: a finite set of clients. 

root: a distinguished element of Clients 
Children: Clients — Set[Clients] | maps each client to a set of children 
Resources: a finite set of resources | 
{Resources,: c € Clients}: the initial partitioning of Resources. 


We require that <Clients, root, Children> be a rooted tree. Let parent: (Clients — {root}) 
— Clients be the function that maps each c € Clients to its parent. Define the function 
PDesc: Clients — Set[Clients], which takes an element c of Clients to the set of all 
proper descendants of c, in terms of the function Children in the obvious way. Define 
Desc(c) = {c} U PDesc(c) for all c € Clients. 
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The set Clients will be the index set for the interconnection; that is, there will be 
one LRM corresponding to each element of Clients. Define the embedded algebras A, . 
and {A piPé Clients} as follows: 


A eae is the resource manager event/state algebra A®™ with parameters 
Clients, Resources instantiated as Clients, Resources, respectively. 
A: is the local resource manager event/state algebra A‘? with 


parameters Resources, IResources, Children, {estim,: c € Children(root)} 
instantiated as Resources, Resources, Children(root), {2ucpescie) 
|Resources,|: c € Children(root)}, respectively. 

A: where p € Clients - {root}, is the local resource manager event/state 
algebra A‘®™, with parameters Resources, IResources, Children, {estim,: ¢ 
€ Children(p)} instantiated as Resources, Resources, Children(p), 
{Zyepescic) |Resources,|: c € Children(p)}, respectively. 


Let the composite interface for the resource manager interconnection be defined 


as follows: 
Events?M! = {\} + [request: Clients + 
| reply: (Clients X Resources) + 

forward: (Clients - {root}) + 
reject: Clients + 
down: ((Clients - {root}) X Resources) + 
up: ((Clients - {root}) X Resources)] 

InP! = {A} + [request: Clients] 

Out?! = {\} + (Events?! — InPM)), 


Intuitively, the event request:p corresponds to the receipt of a request by LRM p 
from its client, and reply:<p, corresponds to the allocation of resource r by LRM p to 
its client. The event forward:p represents the simultaneous occurrence of a forward_in 
event for LRM p, and a forward_out:p event for LRM parent(p). The event reject:p 
represents the simultaneous occurrence of a reject_out event for LRM p and a 
reject_in:p event for LRM parent(p). The event down:<p, r> represents the simultaneous 
occurrence of a parent_in:r event for LRM p and a child_out:<p, Om event for LRM 
parent(p). Finally, the event up:<p, m represents the simultaneous occurrence of a 
parent_out:r event for LRM p and a child_in:<p, r> event for LRM parent(p). Formally, 
these relationships are captured by the following definitions of the abstraction map a®™'|, 
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and the decomposition map § ®™! = <a> ectients: 


a Mle) = request: c ife = request: c 
= reply:<c, > ife = reply:<c, r> 
=X otherwise. 

arMi(e) = request ife = request:p 
= reply:r ife = reply:<p, > 
= forward_in ife = forward:p 
= forward_out:c ife = forward:c and p = parent(c) 
= reject_out ife = reject:p 
= rejectLin:c ife = reject:c and p = parent(c) 
= Child_in:<c, D ife = up:<c, > and p = parent(c) 
= Child_out:<c, ife = down:<c, > and p = parent(c) 
= parent_outir ife = up:<p, > 
= parent_in: r ife = down:<p, Dp 
=X otherwise. 


11.9.5 Proof of Correctness 


In this section we prove the correctness of the implementation <J,rmi, S,,., 
<S.cectents?» Where Sy is defined by <A,,., Valid™>, S_, is defined by 
“A oor Valid®'*>, and S, for c € Clients - {root} is defined by <A,, ValidN'*M), 


root’ 
Implementation Invariant: 


As usual, we factor the implementation invariant Inv’“\(q) for the resource 
manager implementation into an abstraction relation Abs®™'(qg) and a representation 
invariant Rep®™(q). The abstraction relation simply states that the set of free resources 
for the abstract resource manager module is just the union of the sets of free resources 
for each of the component LRM'’s, and that the multiset of pending requests for the 
abstract RM assigns to each client a multiplicity equal to the value of the state variable 
pending for the corresponding LRM. 

Abs?M\(q) = Fane(free) = Unccients Te(free) A 
Gapg(Pending) = (Ac €Clients)(q_(pending)) 
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It is convenient to factor the representation invariant into several conjuncts: 
Rep®'(q) = Disjoint(q) A Neighbor(q) A Owed(q) A Optim(q). 


The conjunct Disjoint(q) states that the sets of free resources possessed by two distinct 
LRM'’s are disjoint. 
Disjoint(q) = A. . ectients(¢ # 6’ > 9,(free)N q, (free) = @). 


The conjunct Neighbor(q) expresses the consistency constraints that hold between the 
values of the state variables for neighboring LRM’s. 
Neighbor(q) = A, ecients,c€Chitdren(p) ((9,(P-balance) = -q,(c_balance)(c)) A 
(q,(p_estim) = 9,(c_estim)(c))} 


The conjunct Owed(q) states that an LRM can be owed resources by its parent only if 
the LRM estimates no surplus in the subtree of which it is the root. 
Owed(q) = A p€Clie nts(@ _(P-balance) >o- 
PBatance(q,) + zceChitdren(p) q,(c_estim)(c) < 0) 


The conjunct Optim(q) states that the estimate p_estim held by an LRM p is optimistic in 
the sense that it is an upper bound on the actual projected number of resources 
remaining in the subtree of which p is the root, assuming that each estimate c_estim(c) 
held by p is an upper bound for the subtree rooted at c. 
Optim(g) = Apecients(9,(P-estim) > 
PBalance(q,) + ZL echidren(p) q,(c_estim)(c)). 


To show the inductiveness of Inv®™'(q), first note that the basis step, i.e. that 
Init?™'(q) + Inv®™!(q) holds for all q € States, is easily checked. A complete formal proof 
of the induction step, namely, that Trans®™\(q, e, r) > (Inv®™'(g) — Inv®!(r)), would be 
performed by case analysis on the event e. Such a complete proof would be quite 
tedious to read, and will not be included here. Rather, we will remark on the cases that 
are not quite trivial. Assume that Trans®™\(q, e, r) and Inv®™\(q) holds, to show Inv®™(r), 
We consider each of the conjuncts of Inv®™"(r) in turn. 


Abs™\(r):_ The truth of this predicate depends upon the values of r,(free) and 
r (pending), for each c € Clients, as well as T ape(free) and Fabs(PENding). The events e 
that affect the pending components of the state are request:c and reply:c. The effect of 
request:c is to add one instance of c to the multiset Qap;(PeNding), and to increment the 
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value of q (pending) by one. Clearly this preserves the desired invariant relationship. 
The case of e = reply:<c, res>, is similar. The events e that affect the free components 
of the state are up:<c, res>, down:<c, res>, and reply:c. Because of the fact that each 
up:<c, res> or down:<c, res> is participated in only by LRM c and its parent, and the 
effect on the states of these two modules is compiementary, it is easily verified that 
Uectents r (free) = Uveciients W-(free), holds fore = down:<c, res> or up:<c, res>. The 
case 6 = reply:<c, res> is slightly more troublesome, since to show that Ucectients / (free) 
= (Unccients %(free)) - {res}, we need to make use of the inductive assumption that 
Disjoint(q) holds. From this we know that if res € q_(free), for some c € Clients, then res 
€ q, (free) for all c  # c, and hence deleting res from q ;(free) in fact deletes it from the 
union of the free sets for all the component modules. 


Disjoint(r): The truth of this predicate depends only upon the values of r _(free) for each 
c € Clients. These components of the state are affected only by events of the form 
reply:<c, res>, up:<c, res>, and down:<c, res>. In case e = reply:<c, res>,.we have that 
r (free) = q,(free) ~ {res} and r, (free) = q, (free) for all c’ € Clients with c ‘#c. In 
Casé @ = up:<c, res>, and c € Children(p), we have that r {iree) = q, (free) U {res}, 
r(free) = q,(free) - {res}, and r, (free) = q, (free) for all c ‘ € Clients with c ‘ € Clients - 
{c, p}. Incase e = down:<c, res>, and c € Children(p), we have that r (tree) = 9, (free) 
- {res}, r,(free) = q (free) + {res}, and r, (free) = q, (free) for all c ' € Clients with c ' € 
Clients - {c, p}. in each of these cases it is easily checked that Disjoint(r) holds. 


Neighbor(r): Note that the predicate Neighbor(r) depends upon the values of 
r,(p_balance), r,(c_balance), r,(p_estim), and r,(c_estim), for each c € Clients. 
Enumeration of cases shows that the only events that affect the values of these 
components of the state are the events reject:c, forward:c, down:<c, res>, and 
up:<c, res>. However, examination of the definition of the LRM state-transition relation 
and the definition of the decomposition map § ®™! shows that each change in the state 
of a participant in one of these events is accompanied by a compensating change in the 
state of the other participant. For example, if c € Children(p), then occurrence of an 
event of the form reject:c makes r(p_balance) = q,(p_balance) + 1, but also makes 
r,(c_balance)(c) = q,(c_balance)(c) - 1. Thus the predicate Neighbor is preserved. 


Owed(r): Assuming that Owed(q) holds, the only way for Owed(r) to be false is for an 
event e to occur that increments q,(p_balance) when it is zero, or increments 
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PBalance(q,) + x echildren(p) q,(c_estim)(c) when it is zero. The only events that might 
have this property are e = reject:p, and up:<p, res>. In case e = reject:p, PBalance(q,) 
+ 2 €Children(p) q,(c_estim)(c) is incremented, but the precondition for this event 
requires that this quantity be less than zero, so Owed(r) hoids. In case e = up:<p, res>, 
the quantity 9,(p_balance) is incremented, but the precondition for e requires that this 
quantity be strictly negative, and hence Owed(r) holds. 


Optim(r): Assuming that Optim(q) holds, the only way for Optim(r) to be false is for the 
quantity q,(p_estim) to be decreased below the quantity PBalance(q.) + ZyEChitdren(c) 
q,(c_estim)(d), or for the latter quantity to be increased above the former. The only 
events that could possibly have this effect are forward:c and reject:c. If e = forward:c, 
then q.(p_estim) is decremented, but so is PBalance(q,) + ZyeChildren(c) q,(c_estim)(d). 
If e = reject:c, then PBalance(q.) + ZyEChildrent ej q,(c_estim)(d) is incremented and 
q,(p_estim) is set to zero. However, the precondition for e requires that the former 
quantity be negative. This fact implies that PBalance(r,) + LyeChildren(c) r,(c_estim)(d) < 
O and r,(p_estim) = 0, and Optim(r) holds. 


From the invariance of Owed, Neighbor, and Optim, we can derive the 
fundamental property of estimates upon which the correctness of the resource 
management system crucially depends. This property is expressed by Lemma Il.1 
below, which states that if an LRM jis owed resources by its parent, then the amount it 
is owed by its parent is a lower bound on the total instantaneous deficit in the subtree of 
which jis the root. To express this result formally, we introduce the quantity /Balance(q) 
where q is an LRM state, defined as follows: 

iBalance(q) = {q(free)| — q(pending). 
Whereas the quantity PBalance(q) introduced previously represents the total projected 
balance of resources at an LRM, after all debts have been paid, the quantity /Balance(q) 
represents the total instantaneous balance of resources at an LRM, where the amount 
of indebtedness is not taken into account. 


Lemma Il.1 - The following is invariant for the resource manager implementation: 
A p€Clients(7 p(P_balance) >o—- 
9,(p_balance) < 2 cpesc(p) IBalance(q,)) 


Proof - From their definitions, it is easily seen that the quantities PBa/ance(q) and 
IBalance(q) are related by the following identity, expressed in the language L(A‘P™) of 
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the LRM event/state algebra: 

PBalance(q) = IBalance(q) + q(p_balance) + 2 ¢cpigren 9(C-balance)(c). 
From this identity, a simple induction on the height of a node i € Clients in the tree 
<Clients, root, Children>, shows the truth of the following identity for all i € Clients: 


(1) Zicvescti) PBalance(q,) = q(p_balance) + Depescip) IBalance(q). 


That is, the total projected balance in the subtree of which / is the root is equal to the 
total instantaneous balance in that subtree, plus the net number of resources promised 
to be exchanged with the parent of i. 


The invariance of Owed(q) means that the following is invariant: 


(2) Niectients(9,(P-balance) >0—- 
PBalance(q,) + Zecnidreny 7(C-estim)() < 0). 


That is, if an LRM i is owed resources by its parent, then it must estimate no surplus of 
resources in the subtree of which j is the head, based on the estimates it has for each of 


iis children. 


The invariance of Neighbor(q) implies that the following is invariant: 
(3) Nyectiens(¥/E Children (i))(q(c_estim)() = q(p_estim)). 
Substitution of (3) into (2) shows the invariance of 


(4) A (q{p_balance) > 0 > 


i€ Clients 
PBalance(q,) + Ziechitdren() q(p_estim) <0). 


Using the invariant Optim(q) to substitute for qj(p_.estim) in (4) shows that 


(5) Nieciients(4(P_balance) > 0 + 
PBalance(q,) + Liechitdren() (PBalance(q,) + 


Ey echindrenyy %(c-estim)(k)) < 0). 


is invariant. Repeating this argument to eliminate all occurrences of c_estim yields the 
invariance of 


(6) Niectients(9(P-balance) > 0 -» Licdesc() PBalance(q,) < 0), 
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which states, intuitively, that if LRM i is owed resources by its parent, then there can be 
no projected surplus of resources in the subtree of which / is the root. 


By using (1) to eliminate PBalance in favor of |Balance in (6), we obtain the 
invariance of 
(7) Niectients(9,(P-balance) > 0 > 
q,(p_balance) + Devescti) IBalance(q,) <0), 
which is equivalent to the desired result. & 


Proof of Maximality 


The maximality verification condition is: 
= (Vq€States, e€Events)(Inv™'(q) A A cecients=nabled,(q, e) 
-> Enabled, .(q, @)). 
The proof of this assertion is most easily performed by a case analysis on the event e; 
making use of the fact that the module specifications define the state-transition relation 
by precondition/next-state predicate pairs. If e = forward:c, reject:c, down:<c, M, or 
up<e, D>, then a’’\e) = A, and hence Enabled, .(q, e) = true. We therefore need 
consider only the cases e = request:c and e = reply:<c, . Ife = request:c, then 
a®Ml(9) = request:c, and hence Enabled, .(q, 6) = true. 


We are left with the case e = reply:<c, r>. In this case, we obtain the following 

from the module specifications: 

Enabled,,,(q, €) =r € q,,,(free) Ac € q,, (pending) 

Enabled.(q,e) =r€q_(free) A q,(pending) > 0 

Enabled _(q, e) = true, if p € Clients — {c}. 
Assume Inv"(q), and hence Abs'(q), holds. Assume further that Aj ccients 
Enabled ,(q, e) holds. From Enabled ,(q, e) we know that r € q,(free) A q.(pending) > 0 
holds. From this and Abs"\(q) we infer that r € q,, (free) Ac € q,, (pending) holds, as 
desired. 


Proof of Validity 


To prove that the validity verification condition holds for the resource manager 
implementation, we use Corollary |.5. To apply Corollary |.5, we must find, for each i, j, € 
Clients + {abs}, a sentence RG, , of g(ARM!) such that the following hold: 
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(RMI1)(a) Comp™! = fRely®] 5 > Aicciients RGabs, 
(RMI1)(b) Comp™! & Aicoients RG; ans > [Guar]... 
(RMI2)(a) 


iroot — [Rely**™) 
NL 
(node) Comp™! & A, ie ctients-{root) ‘Are cients + {abs} PG; > [Rely I) 
(RMI2)(b) 
(root) ve = ([Guar**My Aveciients + {abs} RG, oor) 
(node) Comp™ eas Pscscw er ([Guar™- mM, = /€Clients + {abs} RG, ) 
(RMI3) Whenever {<igy fi, 1,> Siys ig?, +++ s ,_4s >} iS a cycle of Clients, then 


Comp™! = viet RG : 
P hn ee 


(root) see  (Aiecients + {abs} RG; 


n-1' 


The sentences RG, j bear a particular relationship, formalized in Lemma II.2 below, 
to the various Conjuncts appearing in the local resource manager validity conditions. 
Lemma 1!.2 states in essence, that the local resource manager validity conditions are 
"localized" versions of the sentences RG, ; Part (a) of Lemma II.2 states that the 
sentence RG, parent() captures exactly what LRM j guarantees to its parent and exactly 
whet LRM narentii) relies on / to provide. Part (b) states that the scntence Ri NS arenti) J 
captures exactly what LRM j relies on its parent to provide, and exactly what LRM 
parent(/) guarantees to provide to /. Part (c) states that the sentence RG. s,root captures 
exactly what the root LRM relies on the external environment of the system of LRM’s to 


provide. Part (d) states that the sentence RG captures exactly what LRM / 


jabs 
guarantees to provide to the external environment of the system of LRM’s. 


The sentences RG, j are defined as follows: 


RG, ootabs = O(Now,,.,(pending) > 0 > 
©(3r€Resources)(8"i(Occurs) = reply:r)) 
RG ps root = O(Now,,,,,.(p_balance) < 0) 


For all i, j € Clients - {root}: 
RG = O(Now (pending) > 0 > 
©(3r€Resources)(5*'(Occurs) = reply:r)) 


jabs 


RG,.. j; ztrue. 
For all i € Clients — {root}: 
RG, pare au) = D(O(Now (p_balance) < 0) > 
©((3r€Resources)(6*'(Occurs) = parent_out:r) v 
(8°“(Occurs) = reject_out)) 
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RG. rent{i) = D(O(NowW ,, enti)(C-balance)(i) <0) — 
©(ar€Resources)(57M,,4)(Occurs) = child_out:<i, >)) 
For all i, j € Clients such that neither i = parent(/) or / = parent(s): 
RG = true. 


iJ 


Lemma Il.2 - The following are valid for the resource manager implementation: 
(a) For all i € Clients — {root}, 
RMI 
Comp™ = RG, sarent() - 
[Guar_parent'PM] ++ 
{Rely_child'®(/)} 
(b) For all i € Clients - {root}, 
RMI 
Comp™ = RG, wur 
[Rely_parentN'*M], «> 
(c) © Comp®™' = RG <> [Rely_external®-R¥y 
(d) For all i € Clients, 
Comp™" = RG, 34, <* [Guar_client' PY], 


parent(/} 


abs,root root 


Proof - Straightforward, using the invariance of Neighbor and the definition of the 
decomposition map § °M!, g 


Lemma 11.3 - Under the definitions given above for the sentences RG, ;? conditions 
(RMI1)-(RMI3) hold for the resource manager implementation. 


Proof - Assume Comp™|, 


To prove that (RMI1){a) holds, we must show 
PRely Dns > Arecient RGare, 
Suppose that [Rely™],,_ holds. It suffices to prove that RGus root NOldS, since RG... ; = 
true for all / € Clients - {root}. [Rely"].,., is defined by: 
fRely™]... = O(iNow,, (free)] > |Now,,(pending)|). Using this and the 
invariance of the predicate Abs®™', we infer the truth of O(Zicojents (INOw(free)| - 
Now (pending)) > 0), which is equivalent to 


(A) O(c cjents /Balance(Now,) > 0). 
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From Lemma il.1 and the fact that Desc(root) = Clients, we infer that 
O(Now,,,(p_balance) > 0 - Now, (p_balance) < -Ziccyen,, [Balance(Now,)). From 
this and (A), we conclude that Blase pt < 0), which is precisely the 


statement that RGarcr aa holds. 


To prove (RMI1)(b), we must show 

Nieciients RG jabs” [Guar]... 
Suppose that Ajecients RG; abs holds. From the definition of RG; aos we know that 

Avecients O(Now (pending) > 0 - ©(3r€Resources)(87M(Occurs) = reply:r)) 
holds. From the invariance of Abs®™! and the definition of the abstraction map a®™! we 
infer that 

Niectients O(i € Now abs(Pending) a 

©(ar€Resources)(a®’(Occurs) = reply:<i,r>)) 

holds. This is precisely the statement that [Guar®¥] abs NOlds. 


We next prove (RMI2)(a). In case (root), we must show 
RLRM 

(root) Niectients + {abs} RG; root pi [Rely Droot" 
From the root LRM specifications we know that 

[Rely_external"'™} 0A Aiccnidren(roon [Rely_child'*M(],... <> [Rely*PM] 
Using Lemma II.2 (a) and (c) we infer that 

RG ars root A Aiechitdrentroo) °F 
which implies formula (root). 
In case (node) we must show that for all j € Clients, 

NL 

(node) Areciients + fabs) RG, > [Rely sad 
Fix j to be an arbitrary element of Clients. From the node LRM specifications we know 
that 


RURM 
j,root pid [Rely Droot' 


[Rely_parentY "A AvechidrenylRely_child' PM()], <> [Rely My. 
Using Lemma 11.2 (a) and (b) we infer that 
NLRM 
RG arenas ® Nechitsren Gi;  FRely™'"]), 
which implies formula (node). 


We next show (RMI2)(b). In case (root) we must show 
RM 
(root) [Guar"* lea’ Nieciients + {abs} RG cory: 
From the root LRM specifications we have 
[Guar®PMy <> [Guar_client'Y}, 0. A Arcchidrentroot) IGuar_child' Mi]... 
Using Lemma II.2 (b) and (d), we infer 
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LR 
[Guar® asl [ee +. RG, otabs A Niechitdrentroot) Groots" 


This implies formula (root), since RG, j= true unlessj = abs or j € Children(root). 
In case (node) we must show that, for all / € /: 
(node) [Guar ®}, > Arccients + {abs} RG, 
Let i be an arbitrary element of Clients, and assume [GuarN‘®]. From the node LRM ~ 
specifications we have 

[GuarN'*M] [Guar_client“*™}, A [Guar_parent™*PM), a 

A echitdrenty (Guar_child' (yy, 

Using Lemma 1.2 (a), (b), and (d), we infer 

[Guar], <> RG, 3. ARG, caren * (W/E Children()RG, ,. 
This implies formula (node), since RG, /= true unless / = abs, / = parent(/), or j € 


Children(/). 


To prove (RMI3) it suffices to show that RG, sarent() Vv RG arent(i./ holds for all i € 
Clients - {root}. This is because every cycle {<i /,>, ... , “i,_,, /,>} of Clients either 
.v for which RG, ae = true by definition, or else contains both 
links <i, parent(/)> and <parent(i}, > for some i C Clients — {root}. 


contains a link <i, by 


To show RG, parentin V RG arent, NOlds for all i € Clients - {root}, let i be arbitrarily 
fixed, and suppose that TRG, parent() holds, to show that RG, srentii, holds. By definition 
of RG, narent(?) we know that OO(Now,(p_balance) < 0) holds. By the invariance of 
Neighbor, we infer that OD(NoW, sreny(o-balance)(i) > 0) holds. This implies that 


RG, arent() j holds. 8 


11.10 A Message Transmission System 


In this section we consider the specification and implementation of a message 
transmission module TM, whose function is to reliably deliver messages input by one 
user, called the sender, to another user, called the receiver. Messages should be 
delivered in the order in which they are sent, and should not be subject to loss or 
duplication. The message transmission module therefore behaves as a FIFO buffer 
between the sender and the receiver. The interesting part of this example is how the 
reliable FIFO buffer behavior of the message transmission module is implemented by a 
transmission module implementation TMi, which consists, in part, of unreliable 
transmission line components. This is accomplished through the use of a send protocol 
module and a receive protoco! module, which together implement the alternating bit 
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protoco! [Bartlett69]. 


The alternating bit protocol is a standard example for which correctness proofs in 
_ varying styles have been given by other researchers. Most analyses treat only safety 
properties, however the proofs given by Hailpern and Owicki [Hailpern80] and Lamport 
[Lamport83] treat liveness properties of the protocol in addition to safety properties. 
The major deficiency of Hailpern and Owicki’s treatment is the unstructured and 
apparently ad hoc nature of the specifications and the correctness proof. It is difficult to 
discern from their work very much in the way of a general method (with the exception of 
their use of history variables, which can be seen as a special case of the state-transition 
approach espoused here) likely to be applicable to other examples. In contrast, the 
specifications and correctness proof given below are an instance of a general strategy, 
which is embodied in the state-transition approach to specification, the use of rely- and 
guarantee-conditions, and the Correctness Theorem. 


Of the extant proofs of the correctness of the alternating bit protocol, that of 
Lamport [Lamport83] is perhaps the most similar to the one given here. The modules 
are specified in a state-transition style quite like that proposed here. It is possible to 
identify portions of Lamport’s proof that correspond to the proof of invariance of the 
abstraction relation and implementation invariant given below. The major difference 
between Lamport’s proof and the one given here is in the statement and proof of the 
liveness (i.e. validity) properties. Lamport's liveness specifications for the send protocol 
module take the form: "If the send protocol module has an unprocessed message, then 
it will eventually give a packet containing that message to the unreliable transmission 
medium for transmission to the receive protocol module;" "If a correct 
acknowledgement is received by the send protocol module, then eventually the protocol 
will progress to the next unprocessed message;" etc. These are “low-level” 
specifications that can be thought of as essentially a set of assertions that might appear 
in an assertional proof that a particular program satisfies the specification. In contrast, 
the specifications given here are of the form: “If the send protocol! module can rely on 
the fact that sufficiently many transmissions of packet p will eventually result in the 
receipt of an acknowledgement for packet p, then it guarantees eventually to process 
every message given to it as input.” This is a “higher-level” specification that states 
what the send protocol module accomplishes without detailing a chain of intermediate 
steps by which it is. accomplished. 
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A feature that distinguishes the proof presented here from previous proofs, is that 
the proof here is to a great extent independent of the precise assumptions on the 
reliability of the transmission line components. The specifications of the transmission 
line module are expressed in the form: “If a message m is transmitted according to 
certain conditions Xmit(m), then eventually m will be delivered according to conditions 
Divr(m)." For concreteness, we use "m is transmitted repeatedly, without intervening 
transmission of any different message m ‘" for Xmit(m), and a symmetric condition for 
Divr(m). However, Xmit(m) and Divr(m) can easily be replaced with alternative 
conditions without change to the proof structure. 


1.10.1 Specification of the Message Transmission Module 


The interface of the message transmission module TM consists of two kinds of 
events: those of the form TM_in:m, in which message m is presented to the transmission 
module by the sender, and events of the form TM_out:m, in which message m is 
delivered by the transmission module to the receiver. We wish to state that the 
transmission module delivers messages in FIFO order without loss or duplication. We 
can think of the state of the transmission module as a sequence of the messages input 
by the sender but not yet delivered to the receiver. Equivalently, and for our purposes 
more conveniently, the state of the transmission module can be thought of as a pair 
<ing, outq> of sequences of messages, where inq represents the entire history of 
messages that have ever been input to the transmission module by the sender, and outq 
represents the entire history of messages that have ever been output to the receiver by 
the transmission module. The sequence of messages sent but not yet delivered by the 
transmission module is represented, in this alternative state set, by the sequence 
ing-outq. 


Based on this selection of state set, let us now derive a precise specification of the 
transmission module. 


Let Values be a finite set of message values, given as a parameter. The interface of the 
transmission module is defined as follows: 

Events™ = {A} + [TM_in: Values + TM_out: Values]. 

In™ = {A} + [TM_in: Values] 

Out™ = = {a} + [TM_out: Values]. 
The state set for the transmission module is defined by: 
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States™ = [inq: Seq[Values] < outq: Seq[Values]]. 
If q € States™, then we write q(inq-outq) as an abbreviation for q(inq) — q(outa). 


In an initial state for the transmission module, the queue is empty. 
Init™’(q) = q(ing) = q(outa). 


The state transition relation Trans™ is defined by precondition/next-state 


predicate pairs as follows: 


An input event with message m can occur at any time, and causes message m to be 
appended to the end of ing. 
(TM_in) Presa in(M e, m) =e = TM_in:m 

Nextiy j (9s 4M) =r = q[{(q(inq))-m/ing] 


An output event with message m can occur only if there is a message that has been sent 
but not yet delivered, and m is the first such message. The effect is to append m to the 
end of outa. 


FYSA out} Pro ould c,m) =e = TM_out:m A q(outq) < g{ing) A 
m = (q{inq-outq)(0) 
Nextiy out(@s 7) =r = q[(q(outq))*m/outa]. 


We wish the validity condition for the transmission module to capture the 
requirement that every message sent is eventually delivered. This is captured by the 
definition below, which states that, given any prefix s of ing, there is eventually a later 
time at which s is also a prefix of outa. 

Valid™ = Rely™ — Guar™ 
where 
Rely™ = true 
Guar™ = O(vs€Seq[Values])(s < Now(ing) - O(s < Now(outq))). 


1.10.2 Implementation of the Transmission Module 


Figure 4 shows the implementation of the transmission module by a send protocol 
module SP, a receive protocol module RP, a sender-to-receiver transmission line 
module SRTL, and a receiver-to-sender transmission line module RSTL. Messages 
received from the sender by the send protocol module (an "in" event) are placed in a 
queue for transmission to the receive protocol module. When this queue is nonempty, a 
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packet consisting of the first message in the queue and a current boolean sequence 
number is transmitted (via a "pkt_out" event) by the send protocol module SP over the 
transmission line SRTL. In contrast to the reliable transmission module specified in the 
preceding section, the transmission line module is inherently unreliable, and might lose 
or duplicate messages. We require, however, that the transmission line not reorder 
messages. Since messages might be lost, in general it will be necessary for the send 
protocol module to transmit the same packet a number of times before it is delivered to 
the receive protocol module. Thus the send protocol module continues to send the 
packet until an acknowledgement for the sequence number it contains is received (an 
“ack_in"” event) over the transmission line module RSTL. Receipt of a correct 
acknowledgement by the send protocol module causes the first message to be removed 
from its queue. In addition the send protocol module complements its sequence 
number. 


When a packet arrives at the receive protocol module (via a "pkt_in" event), it is 
checked to see if its sequence number is current. If the sequence number is current, 
then the message is extracted and nlaced in a queue of messages to be delivered to the 
receiver. Also, the sequence number expected by the receive protocol module is 
complemented. The receive protocol module ignores packets that do not contain the 
current sequence number. The receive protocol module transmits acknowledgements 
for the most recently received packet over the transmission line module RSTL (via 
“ack_out" events). Whenever the queue of messages to be delivered to the receiver is 
nonempty, then a message can be removed and sent to the receiver (via “out” events). 


1.10.3 Specification of the Transmission Line Module 


The interface of the transmisssion line module contains events of the form 
TL_in:m, which correspond to the presentation of message m for transmission, and of 
the form TL_out:m, which correspond to the delivery of message m to its destination. 
Thus, the interface of the transmission line module TL is isomorphic to that of the 
message transmission module. The difference between the two modules lies in the fact 
that, whereas the transmission module guarantees to deliver each message exactly 
once, the transmission line module is permitted to lose or duplicate messages any 
number of times. We require, however, that the transmission line module not reorder 
messages. Also, we require that repeated input of messages to the transmission line 
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Fig. 4. Transmission Module Implementation 


Sender Receiver 


Transmission 
Module 


module will eventually cause messages to be delivered. 


We will use the same state set for the transmission line specification as we used for 
the transmission module specification. However, the intuitive meanings of the 
components ing and outg of the state are significantly changed, as is the state-transition 
relation and validity condition. For the transmission line module, the sequence ing 
represents a sequence of messages, each of which Is destined to be delivered at least 
once. However, each message in ing might be delivered more than once. The 
sequence outq represents the messages in ing, each of which has already had all its 
copies delivered, and will therefore never be delivered again. The state transition 
relation is modified to permit message loss and duplication as follows: The possibility of 
message loss is captured by the fact that input events are permitted either to produce 
no state change (corresponding to the loss of the associated message) or to append the 
message exactly once to the end of ing (indicating that the message is destined to be 
delivered eventually at least once). The possibility of message duplication is captured 
by the fact that output events are permitted either to produce no state change 
(corresponding to the duplication of the message just delivered) or to add the message 
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to outg (corresponding to the delivery of the final copy of the message). 


Note that the preceding description is only one of many possible ways of 
presenting the same transmission line specification. For example, we could have 
captured the possibility of message loss or duplication by stating that the occurrence of 
a TL_in:m event causes the message m to be appended &k times to ing, where k is a 
nondeterministically chosen natural number. Occurrence of a TL_out:m event would 
then be possible only if m is the first element of ing not also in outq, and would cause m 
to be appended precisely once to outg. The transmission line specification is an 
example of an indeterminate specification (see Section 6.2), which means that a single 
observation can be produced in more than one computation. Although we could give a 
determinate transmission line specification equivalent to the indeterminate version used 
here, the use of an indeterminate specification seems more natural. 


.We now make the above informal specification more precise. As in the case of the 
transmission module specification, let Values be a finite set of message values, given as 
a parameter. Define the interface of the transmission line module as follows: 

Events't = {A} + [TL_in: Values + TL_out: Values]. 
Inte = {A} + [TL_in: Values] 
Out™ == {A} + [TL_out: Values] 
Define the state set of the transmission line module by: 
States™ = [ing: Seq[Values] < outq: Seq[Values]}. 


/ 


In an initial state, the transmission line queue is empty. 
Init™(q) = (ing) = q(outa). 
The state-transition relation Trans" is defined as follows: 


An input event with message m can occur at any time, and either causes no change in 
State (the message is lost) or appends the message to the end of the queue (the 
message is destined to be delivered). 
(TL_in) Prey, i(9,€.m) =e = TLiinim 

Next, ((9.4.m) =r = qvr = a[(a(ing))*m/ing] 


An output event with message m can occur only if there is a message that has been sent 
but for which the last copy has not yet been delivered, and m is the first such message. 
The message m is either appended to outq (corresponding to the last copy of m being 
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delivered), or there is no state change (corresponding to the duplication of m). 
(TL_out) Prey, (9: €,m) =e = TL_outim A q(outq) < g(ing) A 
m = (q(inq-outq))(0) 
Nexty, ould, rm) =r=qvr = q[(q(outq))*m/outq]. 


The validity condition for the transmission line module should express the 
requirement that, for each message , if the transmission of m satisfies certain minimal 
conditions (e.g. that m is transmitted repeatedly, without intervening transmission of 
other messages), then the transmission line module will ensure that m will eventually be 
delivered according to certain conditions (e.g. m will eventually be delivered repeatedly, 
without intervening transmission of other messages). Formally, 


Valid™ = Rely™ -» Guar™ 
Rely™ = true 
Guar™ = C(Wm€Values)(Xmit™(m) — ODivr™(m)), 


where Xmit™(m) describes the conditions required on the transmission of message m 
and Divr'™(m) describes the corresponding conditions according to which m will be 
delivered. Aside from the requirement that the resulting specification be consistent, 
there is a reasonable amount of flexibility in the choice of the conditions Xmit™(m) and 
Divr™(m). We will see later that the particular choice of conditions does not 
significantly affect the proof of correctness of the transmission module implementation, 
as long as the conditions Xmit™(m) and Divr™(m) interact properly with corresponding 
conditions appearing in the specifications for the send and receive protocol modules. 
For concreteness though, we make the following definitions: 
Xmit™(m) = OO(Oceurs = TL_in:m) A 
O(v¥m '€Values)((Occurs = TLin:m ‘> m'‘ = m). 
Divr™(m) = 00(Occurs = TL_out:m) A 
O(Vm ‘E€Values)(Occurs = TL_out:m'’—~m' = m). 
Intuitively, the condition Xmit™(m) states that the message m is transmitted repeatedly, 
without any transmission of other messages m '. The condition Divr™(m) states that the 
message m is delivered repeatedly, without any delivery of other messages m '. 
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11.10.4 Specification of the Send Protocol Module 


The send protoco! module SP interfaces between the sender and the SRTL and 
RSTL transmission line modules. Its function is to implement one half of the alternating 
bit transmission protocol. The interface of the send protocol module consists of three 
kinds of events: SP_in:m, which represents the receipt of message m from the sender, 
SP_pkt_out:p, which represents the transmission of packet p over the unreliable 
transmission line SRTL, and SP_ack_in:b, which represents the receipt of an 
acknowledgement for sequence number b from the unreliable transmission line RSTL. 


_. The state of the send protocol consists of three components: a sequence ing of all 
messages that have ever been received from the sender, a sequence outq of all 
messages that have been acknowledged by the receive protocol module, and a boolean 
component sn, which records the current sequence number. Choosing outq to be the 
sequence of acknowledged messages, rather than the sequence of all messages 
transmitted to the SRTL transmission line, allows us to obtain a simpler correctness 
proof than that presented by Hailpern and Owicki [Hailpern80]. In that paper, the use of 
the actual history of messages transmitted requires the correctness proof to define and 
reason about certain functions whose purpose is essentially to extract the history of 
acknowledged messages from the history of all transmitted messages. 


Informally, the send protocol module behaves as follows: Occurrence of a 
SP_in:m event causes the message m to be appended to ing. When there is a message 
to be sent, and processing of all previous messages has been completed, the message 
is paired with the current sequence number to form a packet p, which is then given to 
the unreliable transmission line SRTL to be transmitted to the receive protocol module. 
The send protocol module continues to transmit the packet p until an acknowledgement 
for its current sequence number arrives over the unreliable transmission line RSTL. 
When a correct acknowledgement arrives, the message acknowledged is appended to 
outg, signifying that it has been successfully delivered, and the current sequence 
number is complemented. 


More precisely, let Values be a finite set of message values, given as a parameter. 
The interface of the send protoco! module is defined as follows: 
Events? = {A} + [SP_in: Values + SP_pkt_out: Pkts + SP_ack_in: Bool] 
InsP = {A} + [SP_in: Values + SP_ack_in: Bool] 
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OutS? —s = {A} + [SP_pkt_out: Pkts]} 

Pkts = [msg: Values X sn: Bool], 
where Pkts is the set of packets. The state set for the send protocol! module is defined 
by: 

StatesS° = [ing: Seq[Values] x outq: Seq[Values] X sn: Bool]. 


In an initial state, the queue is empty, and the sequence number is false. 
Init°(q) = q(inq) = q(outq) A q(sn) = false. 


The state-transition relation Trans®? is defined as follows: 


An SP_in:m event can occur at any time, and causes the message m to be appended to 
ing. 
(SP_in) Preg, j,(q,e,:m) =e = SP_in:m 

Nextsp i,(9.m) = =r = q[(q(ing))-m/ing] 


An SP_pkt_out:p event can occur only if there is a message that has been received from 
the sender but not yet successfully transmitted to the receiver, p(ivisg) is the first such 
message, and p(sn) is the current sequence number. There is no effect on the state. 
(SP_pkt_out) Prep _pkt_out( e,p) =e = SP_pkt_out:p A q(outq) < q(ing) A 
p(msg) = (q(inq-outg))(0) A p(sn) = (sn). 
Next,, pktout(9 f,p)=r=q. 


An SP_ack_in event for acknowledgment b can occur at any time. If b does not match 
the current sequence number, or if there is no message currently being transmitted, 
then there is no change in state. !f b does match the current sequence number and 
there is a message currently being transmitted, then this indicates that the message has 
been successfully transmitted. In this case, the current message is appended to outq, 
and the sequence number is complemented. 

(SP_ack_in) Pregp ack_in(7> e,b) =e = SP_ack_in:b 

NeXxtgp sch inl 5) = ((q(ing) = q(outa) v b # q(sn)) > 1 = q) A 
((q(outq) < q(ing) A 6 = q(sn)) > 
r = q{—(q(sn))/sn, 
(q(outq))-q(ing-outg)(0)/outa)). 
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With the validity condition for the send protocol module, we would like to capture 
the following: If the send protocol can rely on the fact that repeated transmissions of a 
packet eventually result in the repeated receipt of acknowledgements for that packet, 
then it guarantees that every message appearing in ing will eventually aiso appear also 
in outq. This requirement is stated in rely-/guarantee-condition form as follows: 
ValidSP = RelyS° + GuarS? 
RelySP = D(vpePkts)(Xmit$?(p) - oDivr5?(p(sn))) 
GuarS? = D(vs€Seq[Values])(s < Now(ing) + O(s < Now(outq))), 
where the formula XmitS?(p) is the formalization of the statement: "packet p is 
transmitted repeatedly, without any transmissions of other packets," and the formula 
Divr5?(b) is the formalization of “acknowledgements for sequence number b are 
received repeatedly, without receipt of any other acknowledgements." These formulas 
must be defined to be compatible (in a way that is made precise by Lemma I!.6 below) 
with the formulas Xmit™(m) and Divr™(m) in the transmission line specification. Thus, 
Xmit$"(p) = OO(Occurs = SP_pkt_outip) A 
O(Vp 'EPkts)(Occurs = SP_pkt_out:p’— p' = p) 
" Divr§?(b) = OO(Occurs = SP_ack_in:b) A 
O(Vb ‘EBool)(Occurs = SP_ack_in:b'—> b' = b). 


1.10.5 Specification of the Receive Protocol Module 


The receive protocol module interfaces between the SRTL and RSTL transmission 
lines, and implements the complementary half of the transmission protocol. It operates 
as follows: The state of the receive protocol module consists of two sequences, ing and 
outq, of messages, and a boolean sequence number sn. The sequence ing records the 
history of valid messages (with duplications removed) that have been received from the 
unreliable.transmission line SRTL. The sequence outq records the history of messages 
that have been delivered to the receiver. Initially the sequence number sn in the receive 
protocol module’s state matches the sequence number in the state of the send protocol 
module. The receiver waits for packets to be delivered by the SRTL transmission line. If 
a received packet has a sequence number that does not match the current sequence 
number, then it is ignored. If a received packet has a sequence number that matches 
the current sequence number, then the message is extracted from the packet and 
placed at the end of ing. In addition, the current sequence number is complemented. 
At any time, the receive protocol module can transmit acknowledgements for the 
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complement of its current sequence number (i.e. for the sequence number of the last 
valid packet received). 


As in the previous specifications, let the finite set Values be given as a parameter. 

Define the interface of the receive protocol module as follows: 

Events®? = {\} + [RP_pkt_in: Pkts + RP_out: Values + RP_ack_out: Bool] 

InP = {A} + [RP_pkt_in: Pkts] 

OutFP —s = {A} + [RP_out: Values + RP_ack_out: Bool]. 

Pkts = [msg: Values X sn: Bool]. 
Define the state set by: 

States"? = [inq: Seq[Values] < outq: Seq[Values] X sn: Bool]. 


In an initial state, both queues are empty, and the sequence number is false. 
init®??(q) = q(ing) = q(outq) A q(sn) = false 


The pairs that define the state transition relation Trans"? are given below. 


A RP_pkt_Lin event with packet p can occur at any time. If the sequence number in p 
does not match the current sequence number, then there is no effect on the state. !f the 
sequence number in p does match the current sequence number, then the message 
contained in p is appended to ing, and the current sequence number is complemented. 
(RP_pkt_in) Pre, pktin (7 6,p) =e = RP_pktLin:p 
Nextap pat in(P) = (o(sn) # q(sn) > r = q) A 
(p(sn) = g(sn) > r = q[—9(sn)/sn, 
(a(ing))*p(msg)/ing]) 


A RP_ack_out event can occur only for the complement of the current sequence 

number. There is no effect on the state. 

(RP_ack_out) Prene ack out(?: e) =e = RP_ack_out:(—9q(sn)) 
Nextar scr oul 1 req 


An RP_out event with message m can occur only if there is a message in ing that has not 
yet appeared in outq, and m is the first such message. The effect is to append m to 
outd. 
(RP_out) Prepp out(? e,m) =¢ = RP_out:m A q(outq) < q(ing) A 
m = (q(inq-outq))(0) 
Next, .(g, 7, m) =r = q[(q(outq))-m/outa] 
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The validity condition for the receive protocol! module should capture the following 
two requirements: (1) If packet p is received repeately, then eventually 
acknowledgements for the sequence number contained in that packet will be 
transmitted repeatedly; and (2) Every message that appears in ing will eventually appear 
in outq. Formally, 

Valid?P = Rely®? + Guar®P 
Rely®?P = true 
Guar®P = O(vp€Pkts)(Divr®P(p) + Oxmit?P(p(sn))) A 
O(Vs€Seq[Values])(s < Now(inq) —- O(s < Now(outaq))), 
where, as in the previous specifications, Divr®?(p) formalizes the statement, "Packet p is 
received repeately, without any receipt of other packets" and Xmit"?(b) formalizes the 
statement, "Acknowledgement b is transmitted repeately, without any transmission of 
other packets." These formulas are defined as follows: 
Divr®?(o) = OO(Occurs = RP_pkt_in:p) A 
D(Vp ‘€Pkts)(Occurs = RP_pktLin:p '— p‘ = p) 
Xmit??(b) = OO(Occurs = RP_ack_out:b) A 
O(V¥b ‘€Bool)(Occurs = RP_ack_out:b'— b’' = b) 


1.10.6 The Transmission Module Implementation Algebra 
In this section we define the transmission module implementation algebra A™', 
Let the finite set Msgs of message values be given as a parameter. Define 
Pkts = [msg: Msgs X sn: Bool]. 
The index set for the interconnection is the set {SP, RP, SRTL, RSTL}, corresponding to 
the send protocol, receive protocol, send-protocol-to-receive-protocol transmission 
line, and receive-protocol-to-send-protocol transmission line component modules. 
Define the embedded algebras A sat Asp: App: Agar and Aggy, aS follows: 
A...: is the message transmission module event/state algebra A™, with the 
parameter set Values instantiated as the set Msgs. 


Asp! is the send protocol module event/state algebra A®", with parameter 
Values instantiated as the set Msgs. 

Aap’ is the receive protocol module event/state algebra A®?, with 
parameter Values instantiated as the set Msgs. 

Asan. is the transmission line module event/state algebra A™', with 


parameter Values instantiated as the set Pkts. 
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is the transmission line module event/state algebra A™, with 
parameter Values instantiated as the set Bool. 


RSTL’ 


Let the composite interface for the transmission module interconnection be 

defined as follows: 

Events™! = {A} + [in: Msgs + out: Msgs + pkt_out: Pkts + pktLin: Pkts + 

ack_out: Bool + ack_in: Bool] 

In™! = {A} + [in: Msgs] 

Out™! = = {\} + (Events™! ~ In™l) 
Intuitively, events in:m and out:m represent, respectively, the receipt of message m from 
the sender and the delivery of message m to the receiver. Events pkt_out:p and pkt_in:p 
represent, respectively, the presentation of packet p by the send protocol module to the 
SRTL transmission line and the receipt of packet p by the receive protocol module from 
the SRTL transmission line. Events ack_out:b and ack_jn:b represent, respectively, the 
presentation of acknowledgement b by the receive protocol module to the RSTL 
transmission line and the receipt of acknowledgement b by the send protocol module 


Define the abstraction map a™', and the decomposition map 6 ™' as follows: 


a™l(e) = TM_in:m ife = inim 
= TM_out:m ife = outim 
=X otherwise. 
dae) = SP_in:m ife = in:m 
= SP_pkt_out:p ife = pkt_out:p 
= SP_ack_in:b ife = ack_in:b 
=A otherwise. 
dye) = RP_out:m ife = out:m 
= RP_pkt_in:p ife = pktLin:p 
= RP_ack_out:b ife = ack_out:b 
=X otherwise. 
Sour (e) = TL_in:p ife = pkt_out:p 
= TL_out:p ife = pktinip 


=A otherwise. 
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T™I = sa io : 

Sast_(e) = TLin:b ife = ack_out:p 
= TL_out:b ife = ack_in:p 
=X otherwise. 


1.10.7 Proof of Correctness 


In this section we prove the correctness of the implementation 
<3, TM, Sang: “SPierspaprstisatyp Where S,., is defined by <A,,,, Valid™>, and Sep, 
Spe Sasti: Sgar, are defined by <Ag,, ValidS?>, <A.., Valid"P>, <A..,,, Valid™>, and 


<A Valid", respectively. 


SRTL! 
Invariance 


The correctness of the transmission module implementation depends only on the 

invariance of the following: 

(1) Gapsling) = gepling) A q,,,.(outq) = gpp(outq) 

(2) qgp(outa) < qpp(ing) < gg,(inq). 
Condition (1) is the abstraction relation Abs'(q), and states that the abstract 
transmission module's ing is identical to the ing for the send protocol module, and that 
the abstract transmission module's outq is identical to the outq for the receive protocol 
module. Condition (2) is Lemma 1I.4 below, and says that the receive protocol! module’s 
ing is always an extension of the send protocol module’s outq and a prefix of the send 
protocol module’s ing. 


Condition (2) is not inductive as stated, and must be strengthened to permit an 
inductive proof of invariance. We therefore define the implementation invariant 
Inv™'(q) by 

Inv™'(g) = Rep™'(q) a Abs™\(q), 
where Rep™'(q) is the representation invariant and Abs™"(q) is the abstraction relation. 
The abstraction relation is: 

Abs™(q) = daps(iNG) = Ggp(ing) A d4,.(OUta) = dpp(outa). 


The representation invariant Rep™'(q) is defined as follows: 
Rep™'(q) = Queue(q) A (Start(q) v Send(q) v Flip(q) v Ack(q)), 
where 
Queve(q) = ag,(ing) > gg,(outg) A ap,(ing) > g,,(outa) 
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and the formal definitions of Start, Send, Flip, and Ack will be given below. This 
invariant says that, at any instant of time, the histories ing and outq for the send and 
receive protocol modules satisfy certain prefix relationships captured by the predicate 
Queue. In addition, the transmission system is always in one of four kinds of states, 
corresponding to the four predicates Start(q), Send(q), Flip(q), and Ack(q). The 
situations covered by these four predicates, and how they evolve during execution, will 
now be described. 


In a state that satisfies Start, the send and receive protocol modules have the same 
sequence number, the send protocol module’s outg and the receive protocol module’s 
ing are identical, and no new packets or acknowledgements are currently in transit over 
the transmission lines. The predicate Start is satisfied by all initial states. 


States satisfying Start give rise to states satisfying Send when there is an 
unprocessed message at the send protocol module that has been output to (but 
possibly lost by) the transmission line RSTL. In a state that satisfies Send, the send and 
receive protocol modules have the same current sequence number, the outgq of the send 
protocol module and the ing of the receive protocol module are identical, there is an 
unprocessed message at the send protocol module, there may be packets containing 
this message in transit over the transmission line SRTL, and there are no new 
acknowledgements in transit over RSTL. 


States satisfying Send give rise to states satisfying Flip when the first packet 
containing an unprocessed message arrives at the receive protocol module. In a state 
that satisfies Flip, the send and receive protocol modules have complementary current 
sequence numbers, the ing of the receive protocol module is equal to the outq of the 
send protocol module with the newly arrived message appended, and al! packets in 
transit over SRTL or acknowledgements in transit over RSTL are old in the sense that 
they are for a sequence number that is not the one currently expected by the send 
protocol module. 


States satisfying Flip give rise to states satisfying Ack when the first 
acknowledgement for the newly arrived packet is transmitted over RSTL. In a state 
satisfying Ack, the send and receive protocol modules have complementary current 
sequence numbers, the ing of the receive protocol module is equal to the outgq of the 
send protocol module with the still-unacknowledged message appended, all packets in 
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transit over SRTL are oid, but there may be new acknowledgements in transit over 
RSTL. 


To complete the cycle, states satisfying Ack give rise to states satisfying Start 
when the first new acknowledgement is received by the send protocol module. 


For the formal statement of these predicates, it is convenient to define some 
auxiliary predicates, which describe possible states of the transmission lines SRTL and 
RSTL. 


The predicate SRTL_oid is true of a state iff all packets in the SRTL transmission line are 
old, in the sense that they are for the opposite sequence number than the one currently 
expected by the receive protocol module. 

SRTL_old(q) = (V< |95,7, (ing-outa))(dg_qn (ing-outg)(n)(sn) # 9,,,(8n)) 


Similarly, the predicate RSTL_old is true of a state iff all acknowledgements in the RSTL 
transmission line are old, in the sense that they are for the opposite sequence number 
than the one expected by the send nrotocal madule. 

RSTL_old(q) = (Wn < Idgc7, (ing-outa)l)(Gps7, (ing-outg)(n)(sn) # g.,(sn)) 


The predicate SRTL_new is true of a state iff the SRTL transmission line queue consists 
of a (possibly empty) sequence of old packets, followed by a (possibly empty) sequence 
of new packets, each of which contains the first unprocessed message held by the send 
protocol module. 


SRTL_new(q) = (3M < Idgpz, (ing-outg)|)(¥n < Igg,,7, (ing-outa)}) 
((n <m — qq, (ing-outg)(n)(sn) # qp,(sn)) A 
(n > M > Ogpz, (ing-outg)(n) = 
<msg: dgp(ing-outq)(0), sn: Gpp(Sn)>)) 


Similarly, the predicate RSTL_new is true of a state iff the RSTL transmission line queue 
currently consists of a (possibly empty) sequence of old acknowledgments, followed by 
a (possibly empty) sequence of new acknowledgements. 


RSTL_new(q) = (3M < Igpgq, (ing-outg)|)(V1 < lang, (ing-outq))) 
(2 <M > Opgz, (ing-outq)(n) # Ggp(sn)) A 
(n 2 M — Apgz(ing-outg)(n) = gg,(sn))). 
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The formal definitions of the predicates Start, Send, Flip, and Ack are as follows: 

Start(q) = qsp(SN) = dpp(SN) A gg, (outa) = gaping) A 
SRTL_old(q) A RSTL_old(q) 

Send(q) = Ggp(SN) = dpp(SN) A gep(outa) < gep(ing) A ggp(outq) = g,p{ing) A 
SRTL_new(q) A RSTL_old(q) 

Flip(g) = Q¢p(sn) # gpp(sn) A ggp(outq) < ggp(ing) A 
(q,p(outq))q,,,{ing-outq)(0) = q,,{ing) A 
SRTL_old(q) A RSTL_old(q) 

Ack(q) = Q¢p(Sn) # 9pp(SN) A dgp(outq) < ggp(ing) A 
(q,p(outa))q.,(ing-outg)(0) = dppling) A 
SRTL_old(q) A RSTL_new(q). 


We now consider the proof that Inv™'(q) is invariant. 


(Basis): = (Wq€States™')(init™'(q) — Inv™'(q)). 

If q is an initial state then all queues are empty and the sn components of the state of 
both the send protocol module and the receive protocol module have value false. It is 
easily verified from this that Abs™'(q) ~ Queue(q) A Start(q) holds. 


(Induction):  (Wq,r€States™'!, e€Events™')(Trans™(q, e, r) > (Inv™(q) > Inv™'(r))). 
Suppose that Inv™'(q) holds and that Trans™(q, e, r) holds. 


We first examine the problem of showing that Abs™'(r) holds. Abs™'(r) is easily 
seen to be true, since the only events that affect components of the state upon which 
Abs™! depends are the events in:m and out:m. Comparison of the definitions of 
Trans™, TransS”, and Trans®? shows that the events in:m and out:m maintain the 
desired correspondence between the abstract module state and the states of the send 
and receive protocol modules. 


To see that Queue(r) holds, note that the definitions of Trans§? and Trans"” imply 
that the ing and outq components of the states of the send and receive protocol 
modules can only change in one of the following two ways: 

- Anew message is appended to the end of ing. 

- The first element of ing — outq is appended to the end of outq. 
Neither of these two kinds of changes can cause outq not to be a prefix of ing, and thus 
Queue(r) must hold. 


- 198 - 


To show that Start(r) v Send(r) v Flip(r) v Ack(r) holds, we claim that all events 
preserve the truth of the predicates Start, Send, Flip, and Ack, except in the following 
cases: ; 

- {f Start(q) is true and e = pkt_out:p, then Send(r) is true. 

- If Send(q) is true and e = pkt_in:p, with p(sn) = q,,,(sn), then Flip(r) is true. 

- If Flip(q) is true and e = ack_out:b, then Ack(r) is true. 

- If Ack(q) is true and e = ack_in:b, with b = Agp(SN), then Start(r) is true. 
It is a straightforward, but tedious process to verify the truth of this claim by exhaustive 
case analysis. 


The following consequence of the invariance of Inv™'(q) is the crucial fact used in 
the maximality and validity proofs below. 


Lemma !1.4 - The following are invariant for the transmission module implementation: 
(8) Qs,(outq) < dppling) 
(b) g,,,(ing) < ggp(ing) 


Proof - The invariance of Start(q) v Send(q) v Flip(q) v Ack(q) implies the invariance of 
(1) Appling) = dg,(outa) v | 

(sping) > dgp(outg) A dppling) = (agp(outa))a5p(ing-outa)(0)). 
Suppose the first disjunct of (1) holds, that is qg,(outq) = q,,{ing). Then (a) is © 
immediate. The invariance of Queue(q) implies that qo,(outq) < Qsp(ing), thus yielding 
(b). Now suppose that the second disjunct of (1) holds. It is a fact about finite 
sequences that if s, s‘ are finite sequences, and s > s'‘, then s > s’m, where m = 
(s - s’)(0). This fact permits us to conclude, from the second disjunct of (1), that 
Gsp(ing) > (Ggp(outg))g,,,(ing-outq)(0) = 9,,.(ing) > g,,(outg), yielding (a) and (b). 8 


Maximality 


The maximality verification condition is: 
= (VqeStates™', e€Events™')(Inv™\(q) A Enabled,,(q, e) A Enabled,,(q, e) A 
Enabled,,,,, (q, e) A Enabled,.,, (q, e) 
~ Enabled, ,..(q, e)). 
Examination of the definition of Trans™ shows that Enabled ,. .(q, @) is identically true 
unless e = ouf:m. Thus it suffices to show that, for all q € States™! and all m € Msgs, if 
inv™\(q) and Enabled,,,(q, out:m) hold, then Enabled, .(q, out:m) holds as well. 
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Suppose now that Inv™"(q) and Enabled,,(q, out:m) hold. It suffices to show that 
(1) dgp(ing) > qp,(outa) 
holds, for then the assumption that Inv™'(q) (and hence Abs™'(q)) holds implies that 
Gapstina) > 9,,,(outg) holds, which in turn implies that Enabled ,..(q, out:m) holds. 


By definition of Enabled,,(q, out:m), we know that 
(2) dap(outa) < 9pp(iNg) A gpp(ing-outg)(0) = m 
holds. Informally, if e = out:m, then m must be the first message in the receive protocol 
module’s ing, that has not yet been transferred to its outq. The truth of (1) follows from 
(2) and Lemma I!.4 (b). @ 


Validity 


To prove that the validity verification condition holds for the transmission module 
implementation, we use Corollary !.4. We use the well-founded partial ordering < on the 
set {SP, RP, RSTL, SRTL} that includes exactly the pairs SRTL < SP, RP < SP, and 
RSTL < SP. Under this ordering, hypotheses (1) and (2) of Corollary 1.4 are as follows: 
(TMi1): Comp™! = fGuar®"j.,, a [Guar"y,, A [Guar™]47, A iGuar™jo., > 

[Guar™) 
(TMI2) Comp™! & [Guar]... A [Guar®?],, a [Guar™],.,, > [Rely*"]q,. 
These two conditions capture abstractly the important relationships between the validity 
conditions of the various modules. 


We now prove that (TMI1) and (TMI2) are consequences of the module 
specifications. 


Lemma II.5 - Condition (TMI1) holds for the transmission module implementation. 


Proof - Assume Comp™! and [GuarS?],,, and [Guar"?]_.. Using the definition of 
[GuarS?}.,,, we have 
O(vs€Seq[Msgs])(s < Now,,(ing) + O(s < Now,,(outg))). 
From this and Lemma II.4 (a), we obtain 
C(Vs€Seq[Msgs])(s < Now,,(ing) + O(s < Now,,(ingq))). 
Using the assumption [Guar®?]__., gives 
C(vs€Seq[Msgs])(s < Now,,(ing) - O(s < Now,,,(outq))). 
From an application of the invariance of Abs™!, we conclude 


D(vs€Seq[Msgs])(s < Now,, (ing) + O(s < Now,, (outq))). § 


The proof of condition (TMI2) makes use of the following lemma, which expresses 
the principle that guided our choices for the definitions of the various Xmit and Divr 
formulas in the specifications above. 


Lemma 11.6 - The following hold for the transmission module implementation: 
FE [Xmit(p) [op <> [Xmit™ (D) gan 
= [Divr5P(b)],, <> [Dive (6) age, 
& [xmit"?(o)] ap > [Xmit™()Iasr. 
F= [DivrP(p)] 5 <> [Dive™(p)I car, - 


Proof - Straightforward from the module specifications and the definition of the 
decomposition map 6 ™'. § 


Lemma li.7 - Condition (TMI2) holds for the transmission module implementation. 


Proof - Suppose that Comp™', fValid™I..,, fValid"Pp., and fvalid™} 4, hold. 
Suppose, to obtain a contradiction, that [Rely], holds. From the definition of 
{Rely$?].,,, we know that 

(1) O(3pEPkts)([xmitS"(p)],, A O-fDivr"(p(sn))]. cp) 
holds. That is, eventually a point is reached after which the packet p is transmitted 
infinitely often, without intervening transmission of other packets, but infinitely many 
acknowledgements for the sequence number contained in p are not received by the 
send protocol module. From (1) and Lemma I!.6 we infer 

(2) (3p€Pkts)({Xmit™(p)] a7, A O-PDIvr5"(p(sn))},,)- 
From (2) and the assumption that [Valid™].,,, holds, we deduce 

(3) (3p€Pkts)([DIvr™(p)] 45, A O-[Divr5"(p(sn)) I.) 
That is, packet p is delivered infinitely often to the receive protocol module, without 
intervening delivery of other packets, but infinitely many acknowledgements for the 
sequence number contained in p are not received by the send protocol module. From 
(3), another application of Lemma 1I.6 shows 

(4) O(ap€Pkts)({Divr*?(p)],, A 7 DivrS"(p(sn)) I} sp)- 
From this, an application of [Valid"?]_., shows 

(5) (3p€Pkts)([Xmit®?(p(sn))],,p A O-[Divr5"(p(sn))],,)- 
That is, an acknowledgement for the sequence number contained in packet p is 
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repeatedly transmitted by the receive protocol module, but infinitely many 
acknowledgements for p are not received by the send protocol module. Applying 
Lemma 11.6, [Valid™]..,,,,and Lemma II.6 again, shows that 

(6) O(4p€Pkts)([DIvr5°(p(sn))].,, A I] DIvr5"(p(sn))] sp). 
This is a contradiction, and we conclude that (TMI2) must hold. 8 


Appendix Ill - Index of Definitions 


abstraction map 
%3-abstraction map 
1/O-abstraction map 
abstraction operator 
asynchronous 
asynchronous product 
behavior 
3-behavior 
1/O-behavior 
primitive behavior 
canonical projection 
coherent 
Completeness Theorem 
compatible coupling property 
composite machine 
composition operator 
computation 
valid computation 
consistent 
3-consistent 
1/O-consistent 
locally 3-consistent 
correct 
4-correct 
Correctness Theorem 
cycle 
decomposition map 
$-decomposition map 
canonical decomposition map 
1/O-decomposition map 
determinate 
quasi-determinate 
embedding 
enabled 
event 
input event . 
null event 
output event 
event/state algebra 
evolutionary 
explicit 
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fair 
future 
history 
history skeleton 
1/O-system 
implementation 
3-implementation 
implementation algebra 
implementation invariant 
Induction Principle 
inductive 
input-cooperative 
interconnection 
3-interconnection 
embedded interconnection 
interface 
abstract interface 
component interface 
composite interface 
4-interface 
1/O-interface 
system interface 
initial state set 


invariant 
isomorphic 
maximality condition 
machine 
embedded machine 
1/O-machine 
PS-machine 
system machine 
null step 
observation 
orthogonal 
possibilities mapping 
preserves 
strictly preserves 
productive step set 
reachable 
regular 
rely-/guarantee-conditions 
repeatedly 
runs 
satisfies 


skeletal sequence 
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spans 
specification 
state-transition specification 
subset specification 
specification domain 
specification language 
state function 
state-transition relation 
translation 
Translation Lemma 
truncation 
truncation-closed 
validity condition 


